Don't try to set invalid cookies.

In Rack 3.1, using invalid cookie keys was deprecated and in Rack 3.2, using an invalid cookie key will raise an exception. Escaping cookie keys is non-standard behaviour and is not understood by clients, e.g. `document.cookies` will contain escaped keys. It also doesn't round-trip correctly, as in, setting a header with a given name won't have the same name in subsequent requests. In addition, the escaping / unescaping behaviour in previous versions of Rack [caused a security issue](https://github.com/advisories/GHSA-j6w9-fv6q-3q52).
2024-06-12 10:02:36 +09:00 · 2024-06-12 10:02:36 +09:00 · f7f79480d6
commit f7f79480d6
parent 2ebb508cd8
1 changed files with 0 additions and 11 deletions
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@ -115,11 +115,6 @@ def authenticate
      head :ok
    end

-    def set_with_with_escapable_characters
-      cookies["that & guy"] = "foo & bar => baz"
-      head :ok
-    end
-
    def authenticate_for_fourteen_days
      cookies["user_name"] = { "value" => "david", "expires" => Time.utc(2005, 10, 10, 5) }
      head :ok
@ -493,12 +488,6 @@ def test_setting_the_same_value_to_permanent_cookie
    assert_equal({ "user_name" => "Jamie" }, response.cookies)
  end

-  def test_setting_with_escapable_characters
-    get :set_with_with_escapable_characters
-    assert_set_cookie_header "that+%26+guy=foo+%26+bar+%3D%3E+baz; path=/; SameSite=Lax"
-    assert_equal({ "that & guy" => "foo & bar => baz" }, @response.cookies)
-  end
-
  def test_setting_cookie_for_fourteen_days
    get :authenticate_for_fourteen_days
    assert_set_cookie_header "user_name=david; path=/; expires=Mon, 10 Oct 2005 05:00:00 GMT; SameSite=Lax"