kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Merge pull request #33605 from assain/purpose-metadata-changelog-and-tests

Browse source 
Changelog and improved tests for purpose metadata added to cookies
This commit is contained in:
Kasper Timm Hansen 2018-08-15 19:57:49 +02:00 committed by GitHub
commit d25e65a514
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
actionpack/CHANGELOG.md
View file

@ -1,3 +1,19 @@
* Purpose metadata for signed/encrypted cookies.
Rails can now thwart attacks that attempt to copy signed/encrypted value
of a cookie and use it as the value of another cookie.
It does so by stashing the cookie-name in the purpose field which is
then signed/encrypted along with the cookie value. Then, on a server-side
read, we verify the cookie-names and discard any attacked cookies.
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
writes cookies with the new purpose and expiry metadata embedded.
Pull Request: #32937
*Assain Jaleel*
* Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
`respond_to` can match multiple types and lead to undefined behavior when

12
actionpack/test/dispatch/cookies_test.rb
View file

@ -1405,8 +1405,7 @@ class CookiesTest < ActionController::TestCase
assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite]
freeze_time do
travel 1001.years
travel 1001.years do
assert_nil cookies.encrypted[:favorite]
end
@ -1422,8 +1421,7 @@ class CookiesTest < ActionController::TestCase
assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite]
freeze_time do
travel 1001.years
travel 1001.years do
assert_nil cookies.signed[:favorite]
end
@ -1439,8 +1437,7 @@ class CookiesTest < ActionController::TestCase
assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite]
freeze_time do
travel 1001.years
travel 1001.years do
assert_nil cookies.encrypted[:favorite]
end
@ -1456,8 +1453,7 @@ class CookiesTest < ActionController::TestCase
assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite]
freeze_time do
travel 1001.years
travel 1001.years do
assert_nil cookies.signed[:favorite]
end