Skip to content

SecureHeaders middleware erases all cookies in Rack 3 due to \n joining #514

New issue
New issue
Open
#555
Open
SecureHeaders middleware erases all cookies in Rack 3 due to \n joining#514
#555
@collinsauve

Description

@collinsauve
collinsauve
opened on Apr 22, 2024 · edited by collinsauve

Bugs

SecureHeaders is not compatible with this change from Rack 3 as SH uses \n encoded cookies in flag_cookies!:

Response header values can be an Array to handle multiple values (and no longer supports \n encoded headers).

Rack will no longer transform this back into an array for you, and that joined string with \n gets all the way to Puma::Request#str_headers at which point it ignores it due to it being an illegal value.

Expected outcome

Describe what you expected to happen

  1. I set multiple cookies
  2. Those cookies are included in the response

Actual outcome

  1. The response written to the socket does not include any cookies set before SH middleware gets them.

Activity

collinsauve
changed the title [-]SecureHeaders middleware erases all cookies in Rack 4 due to \n joining[/-] [+]SecureHeaders middleware erases all cookies in Rack 3 due to \n joining[/+] on Apr 22, 2024
collinsauve

collinsauve commented on Apr 22, 2024

@collinsauve
collinsauve
on Apr 22, 2024
Author

I've put together a minimum-viable reproduction of the issue:
https://github.com/collinsauve/secure-headers-issue-514

mscrivo
added a commit that references this issue on Apr 23, 2024

fix(cookies): Remove joining with \n

4003b36
deril
linked a pull request that will close this issue on May 20, 2025
adfoster-r7

adfoster-r7 commented on Jul 30, 2025

@adfoster-r7
adfoster-r7
on Jul 30, 2025

I'm also hitting an error for this code path, but now from the thin 2.x upgrade a validaiton error is raised due to the \n char being present:

 2025-07-31 00:53:14 +0100 Unexpected error while processing request: Header contains CR or LF
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/headers.rb:32:in `[]='
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/response.rb:101:in `block (2 levels) in headers='
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/response.rb:101:in `each'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/response.rb:101:in `block in headers='
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/response.rb:96:in `each'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/response.rb:96:in `headers='
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/connection.rb:106:in `post_process'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/connection.rb:53:in `process'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/connection.rb:39:in `receive_data'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run_machine'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/backends/base.rb:75:in `start'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/server.rb:162:in `start'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/controllers/controller.rb:87:in `start'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/runner.rb:203:in `run_command'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/lib/thin/runner.rb:159:in `run!'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/gems/thin-2.0.1/bin/thin:6:in `<top (required)>'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/bin/thin:25:in `load'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/bin/thin:25:in `<main>'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/bin/ruby_executable_hooks:22:in `eval'
 	/Users/user/.rvm/gems/ruby-3.3.8@app/bin/ruby_executable_hooks:22:in `<main>'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @collinsauve@adfoster-r7

      Issue actions
        SecureHeaders middleware erases all cookies in Rack 3 due to \n joining · Issue #514 · github/secure_headers