[6-0-stable] Backport Upgrade-safe URL-safe CSRF tokens #39076 #41806
Conversation
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes them difficult to deal with. For example, the common practice of sending the CSRF token to a browser in a client-readable cookie does not work properly out of the box: the value has to be url-encoded and decoded to survive transport. Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens for backwards compatibility.
…e-csrf-tokens Upgrade-safe URL-safe CSRF tokens
[6-0-stable] Backport Upgrade-safe URL-safe CSRF tokens rails#39076
|
@rafaelfranca Please release it. We are about to upgrade to Rails 6.0, but stuck on 5.2 with this issue. |
|
Let me know if I didn't understand correct. The fix has been merged in branch 6-0-stable but wasn't in release 6.0.3.7 so, If we want to upgrade from Rails 5.2 to Rails 6.0, we have to use 6-0-stable or wait for the next release, right ? |
|
@GCorbel As I understood 6.0.3.7 not included the fix because it is 4 level release. We need to wait for 6.0.4. |
|
@yevhene @GCorbel In the mean time, have you tried out the 6-0-stable branch and let us know if there's any issues before a release is cut? 🙇 |
|
@zzak This feature works fine now in |
|
@zzak I saw no issue with |
|
Thank you both for testing! I will leave it up to rails-core to decide when to release this 🙏 |
|
Rails 6.0.4 has been released with this commit in it. Thanks. |
This is the backport of #39076 to make apps upgrade-safe from Rails 5.2.5.
I've made a PR #41805 to make CSRF tokens forward compatible, that is enough for 6.0.x -> 6.0.next.
But for 5.2.4.x and 5.2.5. #39076 is required to make apps upgrade-safe both 5.2.4.x -> 5.2.next (skip 5.2.5) and 5.2.5 -> 5.2.next.
If this way is preferable, I'll merge this and backport to 5-2-stable (with making this Ruby 2.2 compatible).