Issue #12791 has been reported by Yui NARUSE.

----------------------------------------
Bug #12791: Don't allow ,-separator for cookie
https://bugs.ruby-lang.org/issues/12791

* Author: Yui NARUSE
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: 
* Backport: 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN
----------------------------------------
RFC2965 allowed both ; and , as a separator for cookie, but RFC6265 only allows ;.

Moreover CVE-2016-7401 uses , as a separator to overwrite CSRF-token.
https://gist.github.com/mala/457a25650950d4daf4144f98159802cc



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>