mirror of
https://github.com/discourse/discourse.git
synced 2024-11-29 20:24:05 -06:00
FIX: Correctly handle invalid auth cookies (#16995)
Previously it would blow up on invalid utf byte sequences. This was a source of spec flakiness.
This commit is contained in:
parent
98671445a7
commit
1a5dbbf430
@ -77,8 +77,9 @@ class Auth::DefaultCurrentUserProvider
|
||||
]
|
||||
|
||||
def self.find_v0_auth_cookie(request)
|
||||
cookie = request.cookies[TOKEN_COOKIE].presence
|
||||
if cookie && cookie.size == TOKEN_SIZE
|
||||
cookie = request.cookies[TOKEN_COOKIE]
|
||||
|
||||
if cookie&.valid_encoding? && cookie.present? && cookie.size == TOKEN_SIZE
|
||||
cookie
|
||||
end
|
||||
end
|
||||
@ -88,8 +89,10 @@ class Auth::DefaultCurrentUserProvider
|
||||
|
||||
env[DECRYPTED_AUTH_COOKIE] = begin
|
||||
request = ActionDispatch::Request.new(env)
|
||||
cookie = request.cookies[TOKEN_COOKIE]
|
||||
|
||||
# don't even initialize a cookie jar if we don't have a cookie at all
|
||||
if request.cookies[TOKEN_COOKIE].present?
|
||||
if cookie&.valid_encoding? && cookie.present?
|
||||
request.cookie_jar.encrypted[TOKEN_COOKIE]&.with_indifferent_access
|
||||
end
|
||||
end
|
||||
|
@ -29,6 +29,7 @@ describe Middleware::AnonymousCache do
|
||||
it "is true if it has an invalid auth cookie" do
|
||||
cookie = create_auth_cookie(token: SecureRandom.hex, issued_at: 5.minutes.ago)
|
||||
cookie = swap_2_different_characters(cookie)
|
||||
cookie.prepend("%a0%a1") # an invalid byte sequence
|
||||
expect(new_helper("HTTP_COOKIE" => "jack=1; _t=#{cookie}; jill=2").cacheable?).to eq(true)
|
||||
end
|
||||
|
||||
@ -376,5 +377,4 @@ describe Middleware::AnonymousCache do
|
||||
expect(@status).to eq(403)
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user