[elixir-core:7066] Cookie security fixes for Plug

[José Valim]

Hello everyone,

A vulnerability has been disclosed to Plug. All applications that set
cookies based on user input is vulnerable. The vulnerability affects code
in the following format:

    put_resp_cookie(conn, "username", conn.params["username"])
    put_resp_cookie(conn, conn.params["username"], "valid")

In the code above, one of the cookie key or value is set based on user
input, which may allow an attacker to set arbitrary headers.

We have released new Plug versions v1.0.6, v1.1.9, v1.2.5 and v1.3.5. If
you can't upgrade immediately, we also include fixes you can directly add
to your applications.

  * Versions affected: v1.3.4 and early, v1.2.4 and earlier, v1.1.8 and
earlier, v1.0.5 and earlier
  * Versions fixed: v1.3.5+, v1.2.5+, v1.1.9+, v1.0.6+
  * Reporter: Griffin Byatt

## Workarounds

The Plug documentation has always included the following advice in the
`put_resp_cookie` documentation:

> The cookie value is not automatically escaped. Therefore, if you want to
store values with comma, quotes, etc, you need to explicitly escape them or
use a function such as `Base.encode64` when writing and `Base.decode64`
when reading the cookie.

If you are following the advice above, you are **safe**.

If you can't upgrade immediately, we recommend encoding and decoding the
value, per above, or at least make sure characters such as new lines
carriage returns, commas and semi-colons are not present on the cookie
value.

Instead of:

    put_resp_cookie(conn, "username", conn.params["username"])

You may write:

    username = conn.params["username"]
    if String.contains?(username, ["\r", "\n", ";", ","]), do: raise "no
donut for you"
    put_resp_cookie(conn, "username", username)

## End of life for Plug v1.0.x

We are also announcing the end-of-life support for Plug v1.0.x. If you are
running on Plug v1.0, please update to more recent versions. We have
[updated the README to list all supported versions](
https://github.com/elixir-lang/plug#supported-versions).

## Thanks

We want to thank Griffin Byatt for reporting this vulnerability.


*José Valim*
www.plataformatec.com.br
Skype: jv.ptec
Founder and Director of R&D

-- 
You received this message because you are subscribed to the Google Groups 
"elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elixir-lang-core+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4KXdXFf0yD%3DWyesGS0NXy68NhZk4uU6yhZfGHnFgAfB%2BA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.