From f06e49d6643cf9ab19bb84ee56864e81574fa357 Mon Sep 17 00:00:00 2001 From: Samuel Williams Date: Thu, 7 Apr 2022 14:43:21 +1200 Subject: [PATCH] Use lower case normalisation for cookie attributes. (#1849) --- CHANGELOG.md | 1 + lib/rack/mock.rb | 2 +- lib/rack/utils.rb | 2 +- test/spec_response.rb | 4 ++-- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 08004417..d3a6b081 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,6 +52,7 @@ All notable changes to this project will be documented in this file. For info on - rackup -D option to daemonizes no longer changes the working directory to the root. ([#1813](https://github.com/rack/rack/pull/1813), [@jeremyevans](https://github.com/jeremyevans)) - The X-Forwarded-Proto header is now considered before the X-Forwarded-Scheme header for determining the forwarded protocol. `Rack::Request.x_forwarded_proto_priority` accessor has been added for configuring the priority of which header to check. ([#1809](https://github.com/rack/rack/issues/1809), [@jeremyevans](https://github.com/jeremyevans)) - `Rack::Request.forwarded_authority` (and methods that call it, such as `host`) now returns the last authority in the forwarded header, instead of the first, as earlier forwarded authorities can be forged by clients. This restores the Rack 2.1 behavior. ([#1829](https://github.com/rack/rack/issues/1809), [@jeremyevans](https://github.com/jeremyevans)) +- Use lower case cookie attributes when creating cookies, and fold cookie attributes to lower case when reading cookies (specifically impacting `secure` and `httponly` attributes). ([#1849](https://github.com/rack/rack/pull/1849), [@ioquatix](https://github.com/ioquatix)) ### Fixed diff --git a/lib/rack/mock.rb b/lib/rack/mock.rb index 0108eefa..04e69561 100644 --- a/lib/rack/mock.rb +++ b/lib/rack/mock.rb @@ -266,7 +266,7 @@ module Rack cookie_bits.drop(1).each do |bit| if bit.include? '=' cookie_attribute, attribute_value = bit.split('=', 2) - cookie_attributes.store(cookie_attribute.strip, attribute_value.strip) + cookie_attributes.store(cookie_attribute.strip.downcase, attribute_value.strip) end if bit.include? 'secure' cookie_attributes.store('secure', true) diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb index e6268e5f..b31d3799 100644 --- a/lib/rack/utils.rb +++ b/lib/rack/utils.rb @@ -259,7 +259,7 @@ module Rack max_age = "; max-age=#{value[:max_age]}" if value[:max_age] expires = "; expires=#{value[:expires].httpdate}" if value[:expires] secure = "; secure" if value[:secure] - httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only]) + httponly = "; httponly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only]) same_site = case value[:same_site] when false, nil diff --git a/test/spec_response.rb b/test/spec_response.rb index c8fe17a3..6cbdbf6d 100644 --- a/test/spec_response.rb +++ b/test/spec_response.rb @@ -132,13 +132,13 @@ describe Rack::Response do it "can set http only cookies" do response = Rack::Response.new response.set_cookie "foo", { value: "bar", httponly: true } - response["Set-Cookie"].must_equal "foo=bar; HttpOnly" + response["Set-Cookie"].must_equal "foo=bar; httponly" end it "can set http only cookies with :http_only" do response = Rack::Response.new response.set_cookie "foo", { value: "bar", http_only: true } - response["Set-Cookie"].must_equal "foo=bar; HttpOnly" + response["Set-Cookie"].must_equal "foo=bar; httponly" end it "can set prefers :httponly for http only cookie setting when :httponly and :http_only provided" do -- 2.11.4.GIT