Skip to content

Commit 78fe149

Browse files
rafaelfrancatenderlove
authored andcommitted
Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers
Disable session in ActiveStorage blobs and representations proxy controllers [CVE-2024-26144]
1 parent 56bcc0a commit 78fe149

File tree

4 files changed

+22
-0
lines changed

4 files changed

+22
-0
lines changed

Diff for: activestorage/CHANGELOG.md

+8
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
1+
* Disables the session in `ActiveStorage::Blobs::ProxyController`
2+
and `ActiveStorage::Representations::ProxyController`
3+
in order to allow caching by default in some CDNs as CloudFlare
4+
5+
Fixes #44136
6+
7+
*Bruno Prieto*
8+
19
## Rails 6.1.7.6 (August 22, 2023) ##
210

311
* No changes.

Diff for: activestorage/app/controllers/active_storage/blobs/proxy_controller.rb

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
55
include ActiveStorage::SetBlob
66
include ActiveStorage::SetHeaders
7+
include ActiveStorage::DisableSession
78

89
def show
910
http_cache_forever public: true do

Diff for: activestorage/app/controllers/active_storage/representations/proxy_controller.rb

+1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
# Proxy files through application. This avoids having a redirect and makes files easier to cache.
44
class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
55
include ActiveStorage::SetHeaders
6+
include ActiveStorage::DisableSession
67

78
def show
89
http_cache_forever public: true do
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# frozen_string_literal: true
2+
3+
# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
4+
module ActiveStorage::DisableSession
5+
extend ActiveSupport::Concern
6+
7+
included do
8+
before_action do
9+
request.session_options[:skip] = true
10+
end
11+
end
12+
end

0 commit comments

Comments
 (0)