Fixes for use_authenticated_cookie_encryption

Use CBC encryption is this configuration value is set to false

Fixes for use_authenticated_cookie_encryption
Use CBC encryption is this configuration value is set to false
0fb6b2d5 · Michael Coyne · 9befc197 · 0fb6b2d5 · 0fb6b2d5
Showing with 28 addition and 3 deletion

actionpack/lib/action_dispatch/middleware/cookies.rb actionpack/lib/action_dispatch/middleware/cookies.rb +10 -3

actionpack/test/dispatch/cookies_test.rb actionpack/test/dispatch/cookies_test.rb +18 -0

未找到文件。
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -599,9 +599,16 @@ class EncryptedKeyRotatingCookieJar < AbstractCookieJar # :nodoc:
      def initialize(parent_jar)
        super

-        key_len = ActiveSupport::MessageEncryptor.key_len(encrypted_cookie_cipher)
-        secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, key_len)
-        @encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: SERIALIZER)
+        if request.use_authenticated_cookie_encryption
+          key_len = ActiveSupport::MessageEncryptor.key_len(encrypted_cookie_cipher)
+          secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, key_len)
+          @encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: SERIALIZER)
+        else
+          key_len = ActiveSupport::MessageEncryptor.key_len("aes-256-cbc")
+          secret = request.key_generator.generate_key(request.encrypted_cookie_salt, key_len)
+          sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt)
+          @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, cipher: "aes-256-cbc", serializer: SERIALIZER)
+        end

        request.cookies_rotations.encrypted.each do |*secrets, **options|
          @encryptor.rotate(*secrets, serializer: SERIALIZER, **options)

--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -899,6 +899,24 @@ def test_legacy_signed_cookie_is_treated_as_nil_by_encrypted_cookie_jar_if_tampe
    assert_nil @response.cookies["foo"]
  end

+  def test_use_authenticated_cookie_encryption_uses_legacy_hmac_aes_cbc_encrypiton
+    @request.env["action_dispatch.use_authenticated_cookie_encryption"] = false
+
+    key_generator = @request.env["action_dispatch.key_generator"]
+    encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"]
+    encrypted_signed_cookie_salt = @request.env["action_dispatch.encrypted_signed_cookie_salt"]
+    secret = key_generator.generate_key(encrypted_cookie_salt, ActiveSupport::MessageEncryptor.key_len("aes-256-cbc"))
+    sign_secret = key_generator.generate_key(encrypted_signed_cookie_salt)
+    encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, cipher: "aes-256-cbc", digest: "SHA1", serializer: Marshal)
+
+    get :set_encrypted_cookie
+
+    cookies = @controller.send :cookies
+    assert_not_equal "bar", cookies[:foo]
+    assert_equal "bar", cookies.encrypted[:foo]
+    assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
+  end
+
  def test_legacy_hmac_aes_cbc_encrypted_marshal_cookie_is_upgraded_to_authenticated_encrypted_cookie
    key_generator = @request.env["action_dispatch.key_generator"]
    encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"]