josevalim

josevalim

Creator of Elixir

Cookie security fixes for Plug

Hello everyone,

A vulnerability has been disclosed to Plug. All applications that set cookies based on user input is vulnerable. The vulnerability affects code in the following format:

put_resp_cookie(conn, "username", conn.params["username"])
put_resp_cookie(conn, conn.params["username"], "valid")

In the code above, one of the cookie key or value is set based on user input, which may allow an attacker to set arbitrary headers.

We have released new Plug versions v1.0.6, v1.1.9, v1.2.5 and v1.3.5. If you can’t upgrade immediately, we also include fixes you can directly add to your applications.

  • Versions affected: v1.3.4 and early, v1.2.4 and earlier, v1.1.8 and earlier, v1.0.5 and earlier
  • Versions fixed: v1.3.5+, v1.2.5+, v1.1.9+, v1.0.6+
  • Reporter: Griffin Byatt (@griffinbyatt)

Workarounds

The Plug documentation has always included the following advice in the put_resp_cookie documentation:

The cookie value is not automatically escaped. Therefore, if you want to store values with comma, quotes, etc, you need to explicitly escape them or use a function such as Base.encode64 when writing and Base.decode64 when reading the cookie.

If you are following the advice above, you are safe.

If you can’t upgrade immediately, we recommend encoding and decoding the value, per above, or at least make sure characters such as new lines carriage returns, commas and semi-colons are not present on the cookie value.

For example, instead of:

put_resp_cookie(conn, "username", conn.params["username"])

You may write:

username = conn.params["username"]
if String.contains?(username, ["\r", "\n", ";", ","]), do: raise "no donut for you"
put_resp_cookie(conn, "username", username)

End of life for Plug v1.0.x

We are also announcing the end-of-life support for Plug v1.0.x. If you are running on Plug v1.0, please update to more recent versions. We have updated the README to list all supported versions.

Thanks

We want to thank Griffin Byatt for reporting this vulnerability.

Most Liked

dimitarvp

dimitarvp

Awesome work. We’re very grateful that you guys are on top of these!

griffinbyatt

griffinbyatt

I can’t speak to the broader security policy, but fwiw I’ve been applying for CVEs. They’re just taking forever to be approved :slight_smile:

Where Next?

Popular in News Top

Elixir
Today we celebrate 15 years since Elixir’s first commit! To mark the occasion, we are glad to announce the first release candidate for El...
New
josevalim
Announcement: Elixir v1.8 released - The Elixir programming language Release notes: Release v1.8.0 · elixir-lang/elixir · GitHub Thanks...
New
Elixir
Release: Release v1.11.0 · elixir-lang/elixir · GitHub Over the last releases, the Elixir team has been focusing on the compiler, both i...
New
Elixir
Release: Release v1.13.0-rc.0 · elixir-lang/elixir · GitHub The focus behind Elixir v1.13 has been on tooling, mainly tooling related to...
New
josevalim
Hi everyone, We have just released Elixir v1.8.0-rc.0. For more information, checkout the CHANGELOG. Please give it a try and give us f...
New
Elixir
Official announcement: Elixir v1.15 released - The Elixir programming language This release requires Erlang/OTP 24 and later. Elixir v1...
New
josevalim
Hi everyone, The next (and hopefully last) release candidate for Elixir v1.14 is out: Release v1.14.0-rc.1 · elixir-lang/elixir · GitHub...
New
Elixir
1. Enhancements Elixir [Code] Add Code.eval_quoted_with_env/4 with support for the :prune_binding option ExUnit [ExUnit.Case] Allow te...
New
josevalim
See the post: https://elixir-lang.org/blog/2017/12/05/whats-new-in-elixir/ Kudos to @doomspork for starting the series!
New
Elixir
Release: Release v1.10.0-rc.0 · elixir-lang/elixir · GitHub Support for Erlang/OTP 21+ Elixir v1.10 requires Erlang/OTP 21+, allowing El...
New

Other popular topics Top

stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
AstonJ
Please see the new poll here: Which code editor or IDE do you use? (Poll) (2022 Edition) It’s been a while since we first asked this, I...
208 31307 143
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New
jaysoifer
Is there a way to rollback a specific migration and only that one (“skipping” all the other ones)? Would mix ecto.rollback -v 200809061...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

We're in Beta

About us Mission Statement