mirror of
https://github.com/discourse/discourse.git
synced 2024-12-12 12:19:36 +08:00
f45853676f
This only affects multisite Discourse instances (where multiple forums are served from a single application server). The vast majority of self-hosted Discourse forums do not fall into this category. On affected instances, this vulnerability could allow encrypted session cookies to be re-used between sites served by the same application instance.
26 lines
763 B
Ruby
26 lines
763 B
Ruby
# frozen_string_literal: true
|
|
|
|
require 'rails_helper'
|
|
|
|
describe 'multisite', type: [:multisite, :request] do
|
|
it "works" do
|
|
get "http://test.localhost/session/csrf.json"
|
|
expect(response.status).to eq(200)
|
|
cookie = response.cookies["_forum_session"]
|
|
id1 = session["session_id"]
|
|
|
|
get "http://test.localhost/session/csrf.json", headers: { "Cookie" => "_forum_session=#{cookie};" }
|
|
expect(response.status).to eq(200)
|
|
id2 = session["session_id"]
|
|
|
|
expect(id1).to eq(id2)
|
|
|
|
get "http://test2.localhost/session/csrf.json", headers: { "Cookie" => "_forum_session=#{cookie};" }
|
|
expect(response.status).to eq(200)
|
|
id3 = session["session_id"]
|
|
|
|
# Session cookie was rejected and rotated
|
|
expect(id2).not_to eq(id3)
|
|
end
|
|
end
|