Closed zbelzer closed 2 years ago
This addresses this Rack vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2019-16782
Is there anything holding this up from being merged? 🙂
Hi there! Any news?
Thanks!
I'm not sure that this patch completely addresses the vulnerability described since the gem still uses the session identifier in the cookie as the key in Redis.
This allows the store to take advantage of security fix added in https://github.com/rack/rack/commit/cc1d162d28396b6a71f266e6a40ffc19a258792b