TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
23,244 Commits 2 Branches 0 Tags 294 MiB
9e2e242655
Commit Graph

40 Commits

Author SHA1 Message Date
Jon Leighton
d411c85a65 Replace references to ActiveSupport::SecureRandom with just SecureRandom, and require 'securerandom' from the stdlib when active support is required. 2011-05-23 20:25:44 +01:00
David Lee
8366cabd65 Test csrf token param name customization 2011-05-10 18:24:14 -07:00
James Robinson
2cdc1f0cd5 Make csrf_meta_tags use the tag helper 
Improved formatting of csrf_helper and improved test coverage
 2011-04-08 02:21:08 +02:00
Michael Koziarski
ae19e4141f Change the CSRF whitelisting to only apply to get requests 
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
 2011-02-08 14:57:08 -08:00
Dan Pickett
3026843dc1 put authenticity_token option in parity w/ remote 
[#6228 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-06 19:04:52 -02:00
Timothy N. Tsvetkov
b9309b47cd Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. 
[#6228 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-05 18:58:32 -02:00
Jakub Kuźma
5106ce88e4 authenticity_token option for form_tag [#2988 state:resolved] 2011-01-09 15:55:26 -08:00
Emilio Tagua
535371e956 Fix indentation. 2010-09-27 11:19:19 -03:00
Xavier Noria
0207bc7cc9 get csrf_meta_tag back to the generated layout in deference to existing printed material, chomp also the generated HTML to be faithful to the output before the refactor 2010-09-14 01:35:44 +02:00
Xavier Noria
a87b92db7b revises implementation and documentation of csrf_meta_tags, and aliases csrf_meta_tag to it for backwards compatibilty 2010-09-11 11:05:00 +02:00
Xavier Noria
fb6b805620 code gardening: we have assert_(nil|blank|present), more concise, with better default failure messages - let's use them 2010-08-17 03:32:11 +02:00
Jeremy Kemper
31f8a59c16 Test that csrf meta content is html-escaped, too 2010-02-04 18:03:06 -08:00
Jeremy Kemper
6bf79f02be Revert dumb test 2010-02-04 17:49:23 -08:00
Jeremy Kemper
3062bc70ef HTML-escape csrf meta contents 2010-02-04 17:45:43 -08:00
Jeremy Kemper
2191aa47ac Expose CSRF param name also 2010-02-04 15:26:24 -08:00
Jeremy Kemper
78de17cf70 Expose CSRF tag for UJS adapters 2010-02-04 14:58:32 -08:00
Joshua Peek
9c2c307ee4 Move form_remote_tag and remote_form_for into prototype_legacy_helper 2010-01-30 15:42:30 -06:00
Jeremy Kemper
0dfd993e77 Fix test bleed 2009-11-18 17:54:27 -08:00
Jeremy Kemper
e1385be025 Extract form_authenticity_param instance method so it's overridable in subclasses 2009-11-17 23:40:06 -08:00
Joshua Peek
24ad9ae3d2 Cleanup route reloading in tests. Prefer with_routing over using ActionController::Routing::Routes directly 2009-08-16 21:14:26 -05:00
Ross Kaffenburger and Bryan Helmkamp
256b0ee8e3 Don't check authenticity tokens for any AJAX requests 2009-04-15 16:04:21 -07:00
Jeremy Kemper
1c36172c13 Ruby 1.9 compat: rename deprecated assert_raises to assert_raise. 
[#1617 state:resolved]
 2009-03-08 13:11:58 -07:00
Michael Koziarski
9fdb15e60f Change the forgery token implementation to just be a simple random string. 
This deprecates the use of :secret and :digest which were only needed when we were hashing session ids.
 2008-11-23 14:28:34 +01:00
Jeremy Kemper
eeea1a26ec Merge branch 'master' into testing 2008-11-15 12:21:04 -08:00
Jeff Cohen
fbbcd6f29a Changed request forgery protection to only worry about HTML-formatted content requests. 
Signed-off-by: Michael Koziarski <michael@koziarski.com>
 2008-11-13 11:23:21 +01:00
Jeremy Kemper
c82e8e1f48 Move controller assertions from base TestCase to AC:: and AV::TestCase 2008-11-07 15:42:34 -05:00
rick
74fd17346f Merge branch 'master' of git@github.com:rails/rails 2008-05-13 09:41:10 -07:00
Peter Jones
2a986200b9 Bug: Earlier Check for Session in Forgery Protection 
The session is used by the form_authenticity_token method before it is
tested to be valid.  This patch moves a few lines around so that the
session is validated first.

Without this patch, if you try to use forgery protection with sessions
turned off, you get this exception message:

  undefined method `session_id' for {}:Hash

The patch includes a test that can be used to see this behavior before
the request_forgery_protection.rb file is patched to fix it.
 2008-05-11 13:27:34 -05:00
rick
c8451aeeea change ActionController::RequestForgeryProtection to use Mime::Type#verify_request? [#73] 2008-05-06 02:58:32 -07:00
rick
0697d17d12 Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved] 2008-05-06 00:42:24 -07:00
Michael Koziarski
5ef8a81b84 Don't append the forgery token to an ajax request if it's serializing a form, prevents duplicate tokens. Closes #10684 [macournoyer] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2008-01-08 21:17:08 +00:00
Jeremy Kemper
9d755f1983 require abstract_unit directly since test is in load path 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2008-01-05 13:32:06 +00:00
Jeremy Kemper
0ee1cb2cd3 Ruby 1.9 compat, consistent load paths 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-10-02 05:32:14 +00:00
Rick Olson
82ff27766d Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-28 16:50:48 +00:00
Michael Koziarski
c1bdf027d8 Add missing require 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-28 16:48:59 +00:00
Rick Olson
5edc81dcc2 Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-28 15:55:45 +00:00
David Heinemeier Hansson
82c1fed89f Protect button_to behind protect_from_forgery (closes #9675) [lifo] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-25 16:50:35 +00:00
David Heinemeier Hansson
bdf5672077 Change from InvalidToken to InvalidAuthenticityToken to be more specific 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7623 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-24 23:12:25 +00:00
Rick Olson
c619003854 Rename some RequestForgeryProtection methods. The class method is now #protect_from_forgery, and the default parameter is now 'authenticity_token'. [Rick] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7596 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-23 18:14:44 +00:00
Rick Olson
4e3ed5bc44 Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-23 02:32:55 +00:00