Merge pull request #48869 from brunoprietog/disable-session-active-st…

…orage-proxy-controllers

Disable session in ActiveStorage blobs and representations proxy controllers

[CVE-2024-26144]

activestorage/CHANGELOG.md

@@ -1,3 +1,11 @@
+*   Disables the session in `ActiveStorage::Blobs::ProxyController`
+    and `ActiveStorage::Representations::ProxyController`
+    in order to allow caching by default in some CDNs as CloudFlare
+
+    Fixes #44136
+
+    *Bruno Prieto*
+
 ## Rails 6.1.7.6 (August 22, 2023) ##
 
 *   No changes.

activestorage/app/controllers/active_storage/blobs/proxy_controller.rb

@@ -4,6 +4,7 @@
 class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
   include ActiveStorage::SetHeaders
+  include ActiveStorage::DisableSession
 
   def show
     http_cache_forever public: true do

activestorage/app/controllers/active_storage/representations/proxy_controller.rb

@@ -3,6 +3,7 @@
 # Proxy files through application. This avoids having a redirect and makes files easier to cache.
 class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
   include ActiveStorage::SetHeaders
+  include ActiveStorage::DisableSession
 
   def show
     http_cache_forever public: true do

activestorage/app/controllers/concerns/active_storage/disable_session.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
+module ActiveStorage::DisableSession
+  extend ActiveSupport::Concern
+
+  included do
+    before_action do
+      request.session_options[:skip] = true
+    end
+  end
+end