Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't bother pattern matching existing set-cookie for deletion. #1844

Merged
merged 2 commits into from
Apr 6, 2022

Conversation

ioquatix
Copy link
Member

@ioquatix ioquatix commented Apr 6, 2022

Fixes #1840

@ioquatix
Copy link
Member Author

ioquatix commented Apr 6, 2022

I'm honestly not sure what these tests were trying to achieve. Our deletion logic doesn't matter at all if browsers don't implement it correctly. Because I imagine 99% of people trying to delete cookies would be doing so after the fact it was set in a prior request, so the tests really don't reflect reality.

@ioquatix ioquatix enabled auto-merge (squash) April 6, 2022 08:44
@leahneukirchen
Copy link
Member

Please don't commit .DS_Store files..

One use case could be to have middle-ware that removes cookies from some other layer, but I'm not sure how useful that is.

@ioquatix
Copy link
Member Author

ioquatix commented Apr 6, 2022

Please don't commit .DS_Store files..

Oh lol, I don't even know how that happened, I was committing from Linux, but I think I copied the entire repo from my old development laptop haha. Thanks for pointing it out! 😊

One use case could be to have middle-ware that removes cookies from some other layer, but I'm not sure how useful that is.

Cookie deletion still works even in this case, but we depend on the browser to do the right thing, which I tested and it appears to work as expected (and according to relevant RFCs).

I discussed this with @tenderlove and he said there is a potential security angle which would be someone adding a cookie with a sensitive value and then later deleting it. With this change we send the creation (with sensitive data) and then follow with a deletion cookie. This would all go to the browser which would in all likelihood add then remove the cookie. But I think the consensus here was that this is a poorly implemented app.

The other angle is performance. If someone added a huge cookie and then later deleted it in the same request, expecting the entire overhead to be gone... Yes there is some impact. But again, I'm not sure this is well-formed behaviour/app.

@ioquatix ioquatix force-pushed the improved-cookie-delete branch from b1dc03d to e487244 Compare April 6, 2022 12:15
@ioquatix ioquatix merged commit dc72e60 into main Apr 6, 2022
@ioquatix ioquatix deleted the improved-cookie-delete branch April 6, 2022 16:04
@jeremyevans
Copy link
Contributor

It seems only benefit of removing the scanning is for performance in the general case. Do we have any indication that this is actually a performance issue worth fixing? It seems both the security (remove secret data) and size (remove large data) issues, even if they do not affect most applications, are reasonable reasons against this change.

Looking at the code, the only reason for delete_set_cookie_header! is when you want to scan and remove an existing cookie. Otherwise, you would just use delete_set_cookie_header.

@tenderlove merged this as I was typing this, but I think this should be reverted.

@tenderlove
Copy link
Member

If you're sending sensitive information, and then relying on this to delete it, I think your app has bigger problems. Specifically adding sensitive info, then trying to remove it later seems like a "your app problem" not a "rack should deal with this" problem. Additionally, the regex match used for detecting if it's the right cookie could be problematic. Since the app developer has access to the array and can mutate it themselves, why is it our responsibility to try and parse their strings?

(My main gripe with this method are the regular expressions. If we kept the cookies in a more structured format like objects, I think removing existing ones would be fine)

@jeremyevans
Copy link
Contributor

I agree the method implementation is ugly. However, the only reason for delete_set_cookie_header! is to do this removal. If we don't want to do this removal, it would be better to deprecate the method, and just tell people to switch to delete_set_cookie_header. Most internal callers of delete_set_cookie_header! are already deprecated, and delete_cookie_header! could switch to calling delete_set_cookie_header.

@ioquatix
Copy link
Member Author

ioquatix commented Apr 6, 2022

I'm happy to revert this PR and just deprecate the entire method if we all agree to that, I'll do it today.

dentarg added a commit to dentarg/sinatra that referenced this pull request Dec 29, 2022
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request Dec 30, 2022
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request Feb 13, 2023
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request Feb 24, 2023
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request Mar 4, 2023
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request Mar 5, 2023
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request Apr 11, 2023
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request May 15, 2023
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request May 16, 2023
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request Aug 7, 2023
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
geoffharcourt pushed a commit to commonlit/sinatra that referenced this pull request Nov 6, 2023
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request Dec 23, 2023
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request Jan 2, 2024
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
dentarg added a commit to dentarg/sinatra that referenced this pull request Jan 5, 2024
Multiple response header values are encoded using an Array instead of
newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array

Rack 3 does not remove cookies from the internal storage (because it
doesn't make much sense), see rack/rack#1844, rack/rack#1840
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fix cookie deletion.
5 participants