Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[6-0-stable] Backport Upgrade-safe URL-safe CSRF tokens #39076 #41806

Merged
merged 3 commits into from Mar 31, 2021
Merged

[6-0-stable] Backport Upgrade-safe URL-safe CSRF tokens #39076 #41806

merged 3 commits into from Mar 31, 2021

Commits on Mar 31, 2021

  1. Accept and default to base64_urlsafe CSRF tokens (rails#18496) 

    Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
them difficult to deal with. For example, the common practice of sending
the CSRF token to a browser in a client-readable cookie does not work properly
out of the box: the value has to be url-encoded and decoded to survive transport.

Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
to transport.  Validation accepts both urlsafe tokens, and strict-encoded tokens
for backwards compatibility.
    @dragonsinth @kamipo
    dragonsinth authored and kamipo committed Mar 31, 2021
    Copy the full SHA
    64bb514 View commit details
    Browse the repository at this point in the history

  2. Merge pull request rails#39076 from etiennebarrie/upgrade-safe-urlsaf… 

    …e-csrf-tokens

Upgrade-safe URL-safe CSRF tokens
    @rafaelfranca @kamipo
    rafaelfranca authored and kamipo committed Mar 31, 2021
    Copy the full SHA
    f35b4ae View commit details
    Browse the repository at this point in the history

  3. Clarify how to upgrade apps from Rails 5.2.5 [ci skip]

    @kamipo
    kamipo committed Mar 31, 2021
    Copy the full SHA
    ef808bf View commit details
    Browse the repository at this point in the history