-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Loosen the domain regex to accept '.' #29
Conversation
Seems like the leading dot is old standard according to the discussion here: https://stackoverflow.com/a/23086139 |
LGTM, but you probably want to squash these commits and to remove that blank line in the diff. |
468c92c
to
77fb46c
Compare
The CI failures are already on master. |
This is a consequence of our decision to comply with RFC 6265. https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1
It looks like the referenced RFCs do not allow a leading dot. https://www.rfc-editor.org/rfc/rfc1034#section-3.5 However, a leading dot was required in RFC 2109 (which has been already obsoleted). https://datatracker.ietf.org/doc/html/rfc2109#section-4.2.2
We may allow leading dots for compatibility. @akr @nurse What do you think? |
Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
Hi all, we are encountering this problem on my project when trying to update to the patched version of Ruby 2.7.7. Our test builds are failing due to the leading . on our cookie domains. This is a Rails project version 2.6.7. It would be great to have this PR out so that we can patch up this security flaw as soon as possible. |
I just noticed that this is breaking Rails test suite as well: https://buildkite.com/rails/rails/builds/91200#0184aae9-a971-4423-8bb6-60e7a14ec3fb/1048-1057 |
Thank you for your work, and for picking up this issue so quickly. My 2 cents: I think, sticking with RFC6265 Section 4.1.1 is the future. To get there, maybe a version is released to deprecate the leading dot and allow various frameworks a grace period to remove support of the leading dot. Then release another version that raises an exception for the leading dot. Thanks. P.S. As per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value, it's odd that frameworks are still producing domain value with leading dot, because
|
@naruse found the following statements in RFC 6265
So it looks like RFC 6265 actually allows a leading dot. I no longer see any reason not to merge this PR. |
(ruby/cgi#29) * Loosen the domain regex to accept '.' Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org> ruby/cgi@5e09d632f3 Co-authored-by: Hiroshi SHIBATA <hsbt@ruby-lang.org>
…_with_all_domains This commit addresses the following error by using cgi 0.3.6 that includes ruby/cgi#29 ```ruby $ ruby -v ruby 3.1.3p185 (2022-11-24 revision 1a6b16756e) [x86_64-linux] $ gem info cgi *** LOCAL GEMS *** cgi (0.3.5) Author: Yukihiro Matsumoto Homepage: https://github.com/ruby/cgi Licenses: Ruby, BSD-2-Clause Installed at (default): /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/gems/3.1.0 Support for the Common Gateway Interface protocol. $ ``` ``` $ cd actionpack $ bin/test test/dispatch/session/cookie_store_test.rb -n test_session_store_with_all_domains Running 27 tests in a single process (parallelization threshold is 50) Run options: -n test_session_store_with_all_domains --seed 24288 E Error: CookieStoreTest#test_session_store_with_all_domains: ArgumentError: invalid domain: ".example.com" /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/3.1.0/cgi/cookie.rb:128:in `domain=' /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/3.1.0/cgi/cookie.rb:95:in `initialize' /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/gems/3.1.0/gems/rack-2.2.4/lib/rack/mock.rb:239:in `new' /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/gems/3.1.0/gems/rack-2.2.4/lib/rack/mock.rb:239:in `block in parse_cookies_from_header' /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/gems/3.1.0/gems/rack-2.2.4/lib/rack/mock.rb:236:in `each' /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/gems/3.1.0/gems/rack-2.2.4/lib/rack/mock.rb:236:in `parse_cookies_from_header' /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/gems/3.1.0/gems/rack-2.2.4/lib/rack/mock.rb:187:in `initialize' /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/gems/3.1.0/gems/rack-test-2.0.2/lib/rack/test.rb:360:in `new' /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/gems/3.1.0/gems/rack-test-2.0.2/lib/rack/test.rb:360:in `process_request' /home/yahonda/.rbenv/versions/3.1.3/lib/ruby/gems/3.1.0/gems/rack-test-2.0.2/lib/rack/test.rb:155:in `request' /home/yahonda/src/github.com/rails/rails/actionpack/lib/action_dispatch/testing/integration.rb:285:in `process' /home/yahonda/src/github.com/rails/rails/actionpack/lib/action_dispatch/testing/integration.rb:16:in `get' /home/yahonda/src/github.com/rails/rails/actionpack/lib/action_dispatch/testing/integration.rb:376:in `get' /home/yahonda/src/github.com/rails/rails/actionpack/test/dispatch/session/cookie_store_test.rb:420:in `get' /home/yahonda/src/github.com/rails/rails/actionpack/test/dispatch/session/cookie_store_test.rb:379:in `block in test_session_store_with_all_domains' /home/yahonda/src/github.com/rails/rails/actionpack/test/dispatch/session/cookie_store_test.rb:438:in `block in with_test_route_set' /home/yahonda/src/github.com/rails/rails/actionpack/test/abstract_unit.rb:157:in `with_routing' /home/yahonda/src/github.com/rails/rails/actionpack/test/dispatch/session/cookie_store_test.rb:424:in `with_test_route_set' /home/yahonda/src/github.com/rails/rails/actionpack/test/dispatch/session/cookie_store_test.rb:378:in `test_session_store_with_all_domains' bin/test test/dispatch/session/cookie_store_test.rb:377 Finished in 0.079807s, 12.5303 runs/s, 0.0000 assertions/s. 1 runs, 0 assertions, 0 failures, 1 errors, 0 skips $ ``` Related to ruby/cgi#29 rails#46578
Any plans to backport this PR to v0.2.x (for ruby 3.0.x) and v0.1.x (for ruby 2.7.x)? If no backport, it seems to need updating cgi gem per release of ruby 3.0.5+. |
Per ruby/cgi#29 the current shipped version of the CGI gem doesn't allow for leading dots in domain names, which breaks setting cookies like `.example.com`.
* FIX: Ensure we have a patched version of CGI gem Per ruby/cgi#29 the current shipped version of the CGI gem doesn't allow for leading dots in domain names, which breaks setting cookies like `.example.com`. * Update Gemfile Co-authored-by: Jarek Radosz <jradosz@gmail.com> Co-authored-by: Jarek Radosz <jradosz@gmail.com>
…5dcf5326ea2c8e2047a3bddeb0fbb7e7d07649,b335d899fff3cc22b022c9ee2ceb636d714bf1a7: [Backport #19153] [ruby/cgi] Fix test_cgi_cookie_new_with_domain to pass on older rubies ruby/cgi@05f0c58048 --- test/cgi/test_cgi_cookie.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) [ruby/cgi] Prepare to release 0.3.6 ruby/cgi@710a647855 --- lib/cgi.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [ruby/cgi] Loosen the domain regex to accept '.' (ruby/cgi#29) * Loosen the domain regex to accept '.' Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org> ruby/cgi@5e09d632f3 Co-authored-by: Hiroshi SHIBATA <hsbt@ruby-lang.org> --- lib/cgi/cookie.rb | 2 +- test/cgi/test_cgi_cookie.rb | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) [ruby/cgi] Bump up 0.3.6 ruby/cgi@827b7d43cc --- lib/cgi.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
See ruby/cgi#29
One test failure which isn't a regression - it's because of the CGI gem [0]. With the CGI gem monkeypatched locally, it all works. [0] https://discuss.rubyonrails.org/t/invalid-domain-example-com-in-rspec-after-changing-session-store-to-domain-all/81922 [1] ruby/cgi#29 Signed-off-by: Sam James <sam@gentoo.org>
One test failure which isn't a regression - it's because of the CGI gem [0]. With the CGI gem monkeypatched locally, it all works. [0] https://discuss.rubyonrails.org/t/invalid-domain-example-com-in-rspec-after-changing-session-store-to-domain-all/81922 [1] ruby/cgi#29 Signed-off-by: Sam James <sam@gentoo.org>
In preparation for an update to Ruby 3.0; starting in Ruby 2.7.7, Ruby by default targets version 0.3.5 of the `cgi` gem, which fixed a security issue but also made the domain validation more restrictive than necessary. Version 0.3.6 loosens the restrictions. - https://github.com/ruby/cgi/releases/tag/v0.3.6 - ruby/cgi#29 - https://johnathan.org/ruby-2-7-7-invalid-domain/ Without this change, we get several hundred `ArgumentError: invalid domain: ".code.org"` errors in Dashboard tests on Ruby 3. With this change, we do not.
This is true but slightly misleading. RFC6265 doesn't strictly allow a leading dot (it actually defines the domain parameter as not permitting a leading dot), but it gives a fallback behaviour for UAs to be able to handle older RFC2965 cookies. I recognise that this was probably already taken into account as part of "our decision to comply with RFC 6265", but being clear about the difference is important, because there is discussion pointing to this PR as justification for keeping leading dots on cookies in Rails. In fact, there's an argument that maybe this PR didn't go far enough? As you quoted, the RFC6265 behaviour is this:
However the library persists the leading dot:
This PR was enough to stop exceptions being raised for cookies that browsers would handle though, and that's clearly a good thing regardless of the extra details. |
Ruby stdlib doesn't allow cookies to be set with domains with leading dots. Rails, unfortunately, sets cookies with domains with leading dots (this is technically incorrect to do) A newer version of the CGI library that handles this case is available, but only by including the gem version of the library. See: ruby/cgi#29
See ruby/cgi#29
See ruby/cgi#29
Domain leading with
.
should be allowed since it represents all subdomain are sharing the same cookie.