New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[6-0-stable] Backport Upgrade-safe URL-safe CSRF tokens #39076 #41806
Conversation
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes them difficult to deal with. For example, the common practice of sending the CSRF token to a browser in a client-readable cookie does not work properly out of the box: the value has to be url-encoded and decoded to survive transport. Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens for backwards compatibility.
…e-csrf-tokens Upgrade-safe URL-safe CSRF tokens
[6-0-stable] Backport Upgrade-safe URL-safe CSRF tokens rails#39076
@rafaelfranca Please release it. We are about to upgrade to Rails 6.0, but stuck on 5.2 with this issue. |
Let me know if I didn't understand correct. The fix has been merged in branch 6-0-stable but wasn't in release 6.0.3.7 so, If we want to upgrade from Rails 5.2 to Rails 6.0, we have to use 6-0-stable or wait for the next release, right ? |
@GCorbel As I understood 6.0.3.7 not included the fix because it is 4 level release. We need to wait for 6.0.4. |
@yevhene @GCorbel In the mean time, have you tried out the 6-0-stable branch and let us know if there's any issues before a release is cut? 🙇 |
@zzak This feature works fine now in |
@zzak I saw no issue with |
Thank you both for testing! I will leave it up to rails-core to decide when to release this 🙏 |
Rails 6.0.4 has been released with this commit in it. Thanks. |
This is the backport of #39076 to make apps upgrade-safe from Rails 5.2.5.
I've made a PR #41805 to make CSRF tokens forward compatible, that is enough for 6.0.x -> 6.0.next.
But for 5.2.4.x and 5.2.5. #39076 is required to make apps upgrade-safe both 5.2.4.x -> 5.2.next (skip 5.2.5) and 5.2.5 -> 5.2.next.
If this way is preferable, I'll merge this and backport to 5-2-stable (with making this Ruby 2.2 compatible).