Bug #12791: Don't allow ,-separator for cookie - Ruby - Ruby Issue Tracking System

Actions

Bug #12791

closed

Don't allow ,-separator for cookie

Bug #12791: Don't allow ,-separator for cookie

Added by naruse (Yui NARUSE) about 9 years ago. Updated about 9 years ago.

Status:

Closed

Assignee:

-

Target version:

-

ruby -v:

Backport:

2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN

[ruby-core:77416]

Description

RFC2965 allowed both ; and , as a separator for cookie, but RFC6265 only allows ;.

Moreover CVE-2016-7401 uses , as a separator to overwrite CSRF-token.
https://gist.github.com/mala/457a25650950d4daf4144f98159802cc

Actions

Also available in: PDF Atom