Changelog for the new purpose metadata and improved tests
This commit is contained in:
Assain
parent
f2970a08b5
commit
5fbdfef0a3
@ -1,3 +1,19 @@
|
|||||||
|
* Purpose metadata for signed/encrypted cookies.
|
||||||
|
|
||||||
|
Rails can now thwart attacks that attempt to copy signed/encrypted value
|
||||||
|
of a cookie and use it as the value of another cookie.
|
||||||
|
|
||||||
|
It does so by stashing the cookie-name in the purpose field which is
|
||||||
|
then signed/encrypted along with the cookie value. Then, on a server-side
|
||||||
|
read, we verify the cookie-names and discard any attacked cookies.
|
||||||
|
|
||||||
|
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
|
||||||
|
writes cookies with the new purpose and expiry metadata embedded.
|
||||||
|
|
||||||
|
Pull Request: #32937
|
||||||
|
|
||||||
|
*Assain Jaleel*
|
||||||
|
|
||||||
* Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
|
* Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
|
||||||
|
|
||||||
`respond_to` can match multiple types and lead to undefined behavior when
|
`respond_to` can match multiple types and lead to undefined behavior when
|
||||||
|
|||||||
@ -1405,8 +1405,7 @@ def test_read_rails_5_2_stable_encrypted_cookies_if_config_is_false
|
|||||||
|
|
||||||
assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite]
|
assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite]
|
||||||
|
|
||||||
freeze_time do
|
travel 1001.years do
|
||||||
travel 1001.years
|
|
||||||
assert_nil cookies.encrypted[:favorite]
|
assert_nil cookies.encrypted[:favorite]
|
||||||
end
|
end
|
||||||
|
|
||||||
@ -1422,8 +1421,7 @@ def test_read_rails_5_2_stable_signed_cookies_if_config_is_false
|
|||||||
|
|
||||||
assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite]
|
assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite]
|
||||||
|
|
||||||
freeze_time do
|
travel 1001.years do
|
||||||
travel 1001.years
|
|
||||||
assert_nil cookies.signed[:favorite]
|
assert_nil cookies.signed[:favorite]
|
||||||
end
|
end
|
||||||
|
|
||||||
@ -1439,8 +1437,7 @@ def test_read_rails_5_2_stable_encrypted_cookies_if_use_metadata_config_is_true
|
|||||||
|
|
||||||
assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite]
|
assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite]
|
||||||
|
|
||||||
freeze_time do
|
travel 1001.years do
|
||||||
travel 1001.years
|
|
||||||
assert_nil cookies.encrypted[:favorite]
|
assert_nil cookies.encrypted[:favorite]
|
||||||
end
|
end
|
||||||
|
|
||||||
@ -1456,8 +1453,7 @@ def test_read_rails_5_2_stable_signed_cookies_if_use_metadata_config_is_true
|
|||||||
|
|
||||||
assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite]
|
assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite]
|
||||||
|
|
||||||
freeze_time do
|
travel 1001.years do
|
||||||
travel 1001.years
|
|
||||||
assert_nil cookies.signed[:favorite]
|
assert_nil cookies.signed[:favorite]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user