Merge pull request #36537 from quadule/fix-cookie-rotation-hash-pollution
Fix cookie modification during rotation
This commit is contained in:
commit
4f235e9a86
|
@ -532,9 +532,13 @@ module ActionDispatch
|
|||
if value
|
||||
case
|
||||
when needs_migration?(value)
|
||||
self[name] = Marshal.load(value)
|
||||
Marshal.load(value).tap do |v|
|
||||
self[name] = { value: v }
|
||||
end
|
||||
when rotate
|
||||
self[name] = serializer.load(value)
|
||||
serializer.load(value).tap do |v|
|
||||
self[name] = { value: v }
|
||||
end
|
||||
else
|
||||
serializer.load(value)
|
||||
end
|
||||
|
|
|
@ -893,6 +893,19 @@ class CookiesTest < ActionController::TestCase
|
|||
assert_equal 45, encryptor.decrypt_and_verify(@response.cookies["foo"])
|
||||
end
|
||||
|
||||
def test_cookie_with_hash_value_not_modified_by_rotation
|
||||
@request.env["action_dispatch.signed_cookie_digest"] = "SHA256"
|
||||
@request.env["action_dispatch.cookies_rotations"].rotate :signed, digest: "SHA1"
|
||||
|
||||
key_generator = @request.env["action_dispatch.key_generator"]
|
||||
old_secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
|
||||
old_value = ActiveSupport::MessageVerifier.new(old_secret).generate(bar: "baz")
|
||||
|
||||
@request.headers["Cookie"] = "foo=#{old_value}"
|
||||
get :get_signed_cookie
|
||||
assert_equal({ bar: "baz" }, @controller.send(:cookies).signed[:foo])
|
||||
end
|
||||
|
||||
def test_cookie_with_all_domain_option
|
||||
get :set_cookie_with_domain
|
||||
assert_response :success
|
||||
|
|
Loading…
Reference in New Issue