• Stan Hu's avatar
    Update rack and related gems to 2.0.9 · bec220dc
    Stan Hu authored
    NOTE: The upgrade is backwards compatible with existing sessions, but
    the upgrade of redis-rack v2.1.2 changed Redis keys from
    `session:gitlab:<random hex value>` to `session:gitlab:2::<hash of hex
    value>`. If a session does not have a key in the new schema, it will be
    created transparently. The old session key will eventually be expired
    automatically.
    
    To upgrade to rack 2.0.9, we need to do the following:
    
    1. Fix ActiveSession to use new Rack::Session::SessionId
    2. Add a monkey patch for ActionController::TestSessionPatch
    
    Controller tests were failing without the changes in
    https://github.com/rails/rails/pull/38063, which is available on the
    Rails `6-0-stable` branch but not in Rails 6.0.2.2.
    
    3. Remove CGI escaping of ActiveSession keys. This was not needed
    because CGI escaping was already being done by Rails.
    
    4. Fix deletion of Rack session keys with ActiveSession
    
    redis-rack v2.1.2 changed the session key from one based on the public
    ID to the private ID. We need to adapt ActiveSession to delete both
    versions of the key to clear out old data and to make it work with the
    redis-rack key name changes.
    bec220dc
security-update-rack-2-0-9.yml 109 Bytes