Fix array of cookies in response containing a blank cookie #343
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Without the fix, the blank cookie is compared and since it has no name the comparison fails on name.downcase. Rather than correct it there, this expands the processing of merged cookies to remove blank cookies not just in strings, but also in arrays.
|
Thanks for the report and patch. The fix looks good from a brief review. I'll do some testing with this tomorrow. |
jeremyevans
approved these changes
Feb 1, 2024
|
If you need to test, the way we were triggering this was: set_header("set-cookie", "") # this was actually `cookiejar.to_header` but it returns "" when there's no cookies
# then in content_security_policy middleware nonce generator, we forced the session to initialize so that a session id would be available as the nonce.
Rails.application.config.content_security_policy_nonce_generator = lambda { |request|
# Suggested nonce generator doesn't work on first page load https://github.com/rails/rails/issues/48463
# Related PR attempting to fix: https://github.com/rails/rails/pull/48510
request.session.update({}) # force session to be created
request.session.id.to_s.presence || SecureRandom.base64(16)
}It's a bit convoluted and took me hours to track down. Ultimately the fix for us was to not write the This looked like cookiejar in rack-test receiving: |
martinemde
commented
Feb 1, 2024
| it '#merge ignores empty cookies in cookie strings' do | ||
| jar = Rack::Test::CookieJar.new | ||
| jar.merge('', URI.parse('/')) | ||
| jar.merge("\nc=d") |
There was a problem hiding this comment.
oh hey, I missed a URI second arg here. Maybe that should be added if it's needed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Without the fix, the blank cookie is compared and since it has no name the comparison fails on name.downcase. Rather than correct it there, this expands the processing of merged cookies to remove blank cookies not just in strings, but also in arrays.
I altered the way empty cookies are removed from the raw_cookies because a passed array should not be mutable, so we just skip them during iteration now in both cases. This should also save a cycle or two updating the array result of split.
Also, my editor auto-cleaned up some whitespace. Let me know if that's undesirable and I will revert that line.