This repository has been archived by the owner on Jan 27, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use the fork of ActiverecordSessionStore
This addresses CVE-2019-16782 There has been a [vulnerability in the wild][1] around session hijacks in Rack and related frameworks for a while now, but this has been fixed in Rack and Rails for a while now. There's a [fix for the upstream version of ActiverecordSessionStore since late 2019][2], but this hasn't been merged yet. We weren't aware of this issue until recently, as it's only [just been added to the Ruby Advisory DB][3] This uses a fork of the upstream gem, [as suggested in the original PR][4] to fix the immediate issue. [1] https://nvd.nist.gov/vuln/detail/CVE-2019-16782 [2] rails/activerecord-session_store#151 [3] rubysec/ruby-advisory-db#462 [4] rails/activerecord-session_store#151 (comment)
- Loading branch information