Skip to content
This repository was archived by the owner on Jan 27, 2022. It is now read-only.

Commit cfe1cc8

Browse files
pezholiopezholio
committed
Use the fork of ActiverecordSessionStore
This addresses CVE-2019-16782 There has been a vulnerability in the wild[1] around session hijacks in Rack and related frameworks for a while now, but this has been fixed in Rack and Rails for a while now. There's a fix for the upstream version of ActiverecordSessionStore since late 2019[2], but this hasn't been merged yet. We weren't aware of this issue until recently, as it's only just been added to the Ruby Advisory DB[3] This uses a fork of the upstream gem, as suggested in the original PR[4] to fix the immediate issue. [1] https://nvd.nist.gov/vuln/detail/CVE-2019-16782 [2] rails/activerecord-session_store#151 [3] rubysec/ruby-advisory-db#462 [4] rails/activerecord-session_store#151 (comment)
1 parent fcd5698 commit cfe1cc8

File tree

2 files changed

+14
-8
lines changed

2 files changed

+14
-8
lines changed

Gemfile

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ source "https://rubygems.org"
33
gem "rails", "6.0.3.5"
44

55
gem "activerecord-import"
6-
gem "activerecord-session_store"
6+
gem "activerecord-session_store", github: "rails-lts/activerecord-session_store", branch: "secure-session-store"
77
gem "acts-as-taggable-on"
88
gem "apache_log-parser"
99
gem "aws-sdk-s3"

Gemfile.lock

+13-7
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,15 @@
1+
GIT
2+
remote: https://github.com/rails-lts/activerecord-session_store.git
3+
revision: d091c7ea819350bbb9433d4dd065379832d593a3
4+
branch: secure-session-store
5+
specs:
6+
activerecord-session_store (1.1.3)
7+
actionpack (>= 5.2.4.1)
8+
activerecord (>= 5.2.4.1)
9+
multi_json (~> 1.11, >= 1.11.2)
10+
rack (>= 2.0.8, < 3)
11+
railties (>= 5.2.4.1)
12+
113
GEM
214
remote: https://rubygems.org/
315
specs:
@@ -47,12 +59,6 @@ GEM
4759
activesupport (= 6.0.3.5)
4860
activerecord-import (1.0.8)
4961
activerecord (>= 3.2)
50-
activerecord-session_store (1.1.3)
51-
actionpack (>= 4.0)
52-
activerecord (>= 4.0)
53-
multi_json (~> 1.11, >= 1.11.2)
54-
rack (>= 1.5.2, < 3)
55-
railties (>= 4.0)
5662
activestorage (6.0.3.5)
5763
actionpack (= 6.0.3.5)
5864
activejob (= 6.0.3.5)
@@ -579,7 +585,7 @@ PLATFORMS
579585

580586
DEPENDENCIES
581587
activerecord-import
582-
activerecord-session_store
588+
activerecord-session_store!
583589
acts-as-taggable-on
584590
apache_log-parser
585591
aws-sdk-s3

0 commit comments

Comments
 (0)