Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ActiveSupport Message verifier with double slash trouble #27995

kewogc opened this issue Feb 14, 2017 · 1 comment


Copy link

commented Feb 14, 2017

Steps to reproduce

# routes.rb
get 'verify/*token'

# generate token
token = MessageVerifier.generate(:user_id=>1111, :recipient_id=>12975875, :email=>"") #=>

# Send url with token to rails
curl http://localhost:3000/recipients/verify/BAh7CDoMdXNlcl9pZGkC7wk6EXJlY2lwaWVudF9pZGkDA//FOgplbWFpbEkiF2RtcGV0cm92bmFAbWFpbC5ydQY6BkVU--e2c138bb54209f7e31138fa0111d152c7d1c96cd

# Rails server log
Started GET "/verify/BAh7CDoMdXNlcl9pZGkC7wk6EXJlY2lwaWVudF9pZGkDA//FOgplbWFpbEkiF2RtcGV0cm92bmFAbWFpbC5ydQY6BkVU--e2c138bb54209f7e31138fa0111d152c7d1c96cd" for at 2017-02-14 15:44:20 +0700
Processing as HTML
  Parameters: {"token"=>"BAh7CDoMdXNlcl9pZGkC7wk6EXJlY2lwaWVudF9pZGkDA/FOgplbWFpbEkiF2RtcGV0cm92bmFAbWFpbC5ydQY6BkVU--e2c138bb54209f7e31138fa0111d152c7d1c96cd"}

Okey, i think to encode token // -> %2F%2F
But in production, send request to nginx on http

server {
  listen 80;
  server_name localhost;
  location / {
    rewrite ^(.*) https://$host$1 permanent;
  location /.well-known/acme-challenge {

server {
  listen 443;
  server_name localhost;
  ssl on;
  location / {
    proxy_pass            http://rails-app;
    proxy_redirect        off;

Encoding lost after redirect to https. %2F%2F -> "//". Is mandatory normalization in block location on nginx.

May be, is it possible to disable the normalization of slashes on rails?

Expected behavior


Actual behavior


System configuration

Rails version: 4.2.5
Ruby version: 2.3.0


This comment has been minimized.

Copy link

commented Feb 14, 2017

The token generated by message verifier is not safe to use used in url as a raw value. You need to encode it in a way that can be safely used in URLs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.