From bb316391ca2043693d870273dce5412b853daba0 Mon Sep 17 00:00:00 2001 From: Robin Daugherty Date: Thu, 24 Sep 2020 10:02:06 -0400 Subject: [PATCH 1/2] Fix CSRF token cookie path --- lib/better_errors/middleware.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/better_errors/middleware.rb b/lib/better_errors/middleware.rb index aab0210d..43394a9b 100644 --- a/lib/better_errors/middleware.rb +++ b/lib/better_errors/middleware.rb @@ -113,7 +113,7 @@ def show_error_page(env, exception=nil) response = Rack::Response.new(content, status_code, { "Content-Type" => "text/#{type}; charset=utf-8" }) unless request.cookies[CSRF_TOKEN_COOKIE_NAME] - response.set_cookie(CSRF_TOKEN_COOKIE_NAME, value: csrf_token, httponly: true, same_site: :strict) + response.set_cookie(CSRF_TOKEN_COOKIE_NAME, value: csrf_token, path: "/", httponly: true, same_site: :strict) end # In older versions of Rack, the body returned here is actually a Rack::BodyProxy which seems to be a bug. From da0e0d971bfc32b646e6a86d959086b3779e340b Mon Sep 17 00:00:00 2001 From: Robin Daugherty Date: Thu, 24 Sep 2020 10:03:08 -0400 Subject: [PATCH 2/2] Fix old CSRF token being used after upgrade --- lib/better_errors/middleware.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/better_errors/middleware.rb b/lib/better_errors/middleware.rb index 43394a9b..8215c70b 100644 --- a/lib/better_errors/middleware.rb +++ b/lib/better_errors/middleware.rb @@ -40,7 +40,7 @@ def self.allow_ip!(addr) allow_ip! "127.0.0.0/8" allow_ip! "::1/128" rescue nil # windows ruby doesn't have ipv6 support - CSRF_TOKEN_COOKIE_NAME = 'BetterErrors-CSRF-Token' + CSRF_TOKEN_COOKIE_NAME = "BetterErrors-#{VERSION}-CSRF-Token" # A new instance of BetterErrors::Middleware #