Don't try to set invalid cookies.
In Rack 3.1, using invalid cookie keys was deprecated and in Rack 3.2, using an invalid cookie key will raise an exception. Escaping cookie keys is non-standard behaviour and is not understood by clients, e.g. `document.cookies` will contain escaped keys. It also doesn't round-trip correctly, as in, setting a header with a given name won't have the same name in subsequent requests. In addition, the escaping / unescaping behaviour in previous versions of Rack [caused a security issue](https://github.com/advisories/GHSA-j6w9-fv6q-3q52).
This commit is contained in:
parent
2ebb508cd8
commit
f7f79480d6
@ -115,11 +115,6 @@ def authenticate
|
||||
head :ok
|
||||
end
|
||||
|
||||
def set_with_with_escapable_characters
|
||||
cookies["that & guy"] = "foo & bar => baz"
|
||||
head :ok
|
||||
end
|
||||
|
||||
def authenticate_for_fourteen_days
|
||||
cookies["user_name"] = { "value" => "david", "expires" => Time.utc(2005, 10, 10, 5) }
|
||||
head :ok
|
||||
@ -493,12 +488,6 @@ def test_setting_the_same_value_to_permanent_cookie
|
||||
assert_equal({ "user_name" => "Jamie" }, response.cookies)
|
||||
end
|
||||
|
||||
def test_setting_with_escapable_characters
|
||||
get :set_with_with_escapable_characters
|
||||
assert_set_cookie_header "that+%26+guy=foo+%26+bar+%3D%3E+baz; path=/; SameSite=Lax"
|
||||
assert_equal({ "that & guy" => "foo & bar => baz" }, @response.cookies)
|
||||
end
|
||||
|
||||
def test_setting_cookie_for_fourteen_days
|
||||
get :authenticate_for_fourteen_days
|
||||
assert_set_cookie_header "user_name=david; path=/; expires=Mon, 10 Oct 2005 05:00:00 GMT; SameSite=Lax"
|
||||
|
Loading…
Reference in New Issue
Block a user