Skip to content

Commit 723f545

Browse files
rafaelfrancatenderlove
authored andcommitted
Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers
Disable session in ActiveStorage blobs and representations proxy controllers [CVE-2024-26144]
1 parent fc734f2 commit 723f545

File tree

4 files changed

+22
-0
lines changed

4 files changed

+22
-0
lines changed

Diff for: activestorage/CHANGELOG.md

+8
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
1+
* Disables the session in `ActiveStorage::Blobs::ProxyController`
2+
and `ActiveStorage::Representations::ProxyController`
3+
in order to allow caching by default in some CDNs as CloudFlare
4+
5+
Fixes #44136
6+
7+
*Bruno Prieto*
8+
19
## Rails 7.0.8 (September 09, 2023) ##
210

311
* No changes.

Diff for: activestorage/app/controllers/active_storage/blobs/proxy_controller.rb

+1
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
1010
include ActiveStorage::SetBlob
1111
include ActiveStorage::Streaming
12+
include ActiveStorage::DisableSession
1213

1314
def show
1415
if request.headers["Range"].present?

Diff for: activestorage/app/controllers/active_storage/representations/proxy_controller.rb

+1
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
# {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
99
class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
1010
include ActiveStorage::Streaming
11+
include ActiveStorage::DisableSession
1112

1213
def show
1314
http_cache_forever public: true do
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# frozen_string_literal: true
2+
3+
# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
4+
module ActiveStorage::DisableSession
5+
extend ActiveSupport::Concern
6+
7+
included do
8+
before_action do
9+
request.session_options[:skip] = true
10+
end
11+
end
12+
end

0 commit comments

Comments
 (0)