Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added documentation on how to mitigate CVE-2015-9284. #175

Merged
merged 3 commits into from
Mar 10, 2021
Merged

Added documentation on how to mitigate CVE-2015-9284. #175

merged 3 commits into from
Mar 10, 2021

Conversation

thorsteneckel
Copy link
Contributor

As requested by @sikachu in #151 I added a block to the README on how to mitigate CVE-2015-9284 by converting insecurely stored session IDs by running an Active Record Migration including an example and remark for custom Session classes.

cc @rafaelfranca

@thorsteneckel thorsteneckel mentioned this pull request Mar 10, 2021
Merged
kratob
kratob approved these changes Mar 10, 2021
View reviewed changes
Copy link
Contributor

@kratob kratob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking care of this! ❤️

README.md Outdated Show resolved Hide resolved
@thorsteneckel @kratob
Applied suggestions by @kratob
90a4cb2 
Co-authored-by: Tobias Kraze <tobias.kraze@makandra.de>
n00dle
n00dle reviewed Mar 10, 2021
View reviewed changes
README.md Outdated Show resolved Hide resolved
@thorsteneckel @n00dle
Migration can not rolled back as sessions are now secure hashes. Than…
4b705d9 
…ks to @n00dle.

Co-authored-by: n00dle <richardwu@gmail.com>
sikachu
sikachu approved these changes Mar 10, 2021
View reviewed changes
Copy link
Member

@sikachu sikachu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a few things that I want to touch up on this documentation, but I don't think it's worth blocking the PR for it. I think I can work on them on a follow-up commit.

Overall, I think this looks good for me.

@sikachu sikachu merged commit c16ddd2 into rails:master Mar 10, 2021
marvinthepa
marvinthepa reviewed Mar 10, 2021
View reviewed changes
README.md
@@ -109,7 +109,30 @@ MyLogger.send :include, ActiveRecord::SessionStore::Extension::LoggerSilencer
This silencer is being used to silence the logger and not leaking private
information into the log, and it is required for security reason.

## Contributing to Active Record Session Store
CVE-2015-9284 mitigation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thorsteneckel was this just a mistake or does CVE-2015-9284 have any connection to CVE-2019-25025 ?

This was referenced Mar 10, 2021
Merged
Merged
Closed
Merged
Merged
Merged
Closed
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Closed
Closed
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marvinthepa marvinthepa marvinthepa left review comments

@n00dle n00dle n00dle left review comments

@sikachu sikachu sikachu approved these changes

@kratob kratob kratob approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@thorsteneckel @sikachu @marvinthepa @kratob @n00dle