Merge pull request #36537 from quadule/fix-cookie-rotation-hash-pollution

Fix cookie modification during rotation
2019-08-05 03:57:08 +02:00 · 2019-08-05 03:57:08 +02:00 · 4f235e9a86
parent 3d1f6feda2 27db230bd1
commit 4f235e9a86
2 changed files with 19 additions and 2 deletions
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@ -532,9 +532,13 @@ module ActionDispatch
          if value
            case
            when needs_migration?(value)
-              self[name] = Marshal.load(value)
+              Marshal.load(value).tap do |v|
+                self[name] = { value: v }
+              end
            when rotate
-              self[name] = serializer.load(value)
+              serializer.load(value).tap do |v|
+                self[name] = { value: v }
+              end
            else
              serializer.load(value)
            end
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@ -893,6 +893,19 @@ class CookiesTest < ActionController::TestCase
    assert_equal 45, encryptor.decrypt_and_verify(@response.cookies["foo"])
  end

+  def test_cookie_with_hash_value_not_modified_by_rotation
+    @request.env["action_dispatch.signed_cookie_digest"] = "SHA256"
+    @request.env["action_dispatch.cookies_rotations"].rotate :signed, digest: "SHA1"
+
+    key_generator = @request.env["action_dispatch.key_generator"]
+    old_secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
+    old_value = ActiveSupport::MessageVerifier.new(old_secret).generate(bar: "baz")
+
+    @request.headers["Cookie"] = "foo=#{old_value}"
+    get :get_signed_cookie
+    assert_equal({ bar: "baz" }, @controller.send(:cookies).signed[:foo])
+  end
+
  def test_cookie_with_all_domain_option
    get :set_cookie_with_domain
    assert_response :success