Jon Leighton
d411c85a65
Replace references to ActiveSupport::SecureRandom with just SecureRandom, and require 'securerandom' from the stdlib when active support is required.
2011-05-23 20:25:44 +01:00
David Lee
8366cabd65
Test csrf token param name customization
2011-05-10 18:24:14 -07:00
James Robinson
2cdc1f0cd5
Make csrf_meta_tags use the tag helper
...
Improved formatting of csrf_helper and improved test coverage
2011-04-08 02:21:08 +02:00
Michael Koziarski
ae19e4141f
Change the CSRF whitelisting to only apply to get requests
...
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
X-CSRF-Token: ...
This fixes CVE-2011-0447
2011-02-08 14:57:08 -08:00
Dan Pickett
3026843dc1
put authenticity_token option in parity w/ remote
...
[#6228 state:committed]
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
2011-02-06 19:04:52 -02:00
Timothy N. Tsvetkov
b9309b47cd
Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers.
...
[#6228 state:committed]
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
2011-02-05 18:58:32 -02:00
Jakub Kuźma
5106ce88e4
authenticity_token option for form_tag [ #2988 state:resolved]
2011-01-09 15:55:26 -08:00
Emilio Tagua
535371e956
Fix indentation.
2010-09-27 11:19:19 -03:00
Xavier Noria
0207bc7cc9
get csrf_meta_tag back to the generated layout in deference to existing printed material, chomp also the generated HTML to be faithful to the output before the refactor
2010-09-14 01:35:44 +02:00
Xavier Noria
a87b92db7b
revises implementation and documentation of csrf_meta_tags, and aliases csrf_meta_tag to it for backwards compatibilty
2010-09-11 11:05:00 +02:00
Xavier Noria
fb6b805620
code gardening: we have assert_(nil|blank|present), more concise, with better default failure messages - let's use them
2010-08-17 03:32:11 +02:00
Jeremy Kemper
31f8a59c16
Test that csrf meta content is html-escaped, too
2010-02-04 18:03:06 -08:00
Jeremy Kemper
6bf79f02be
Revert dumb test
2010-02-04 17:49:23 -08:00
Jeremy Kemper
3062bc70ef
HTML-escape csrf meta contents
2010-02-04 17:45:43 -08:00
Jeremy Kemper
2191aa47ac
Expose CSRF param name also
2010-02-04 15:26:24 -08:00
Jeremy Kemper
78de17cf70
Expose CSRF tag for UJS adapters
2010-02-04 14:58:32 -08:00
Joshua Peek
9c2c307ee4
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 15:42:30 -06:00
Jeremy Kemper
0dfd993e77
Fix test bleed
2009-11-18 17:54:27 -08:00
Jeremy Kemper
e1385be025
Extract form_authenticity_param instance method so it's overridable in subclasses
2009-11-17 23:40:06 -08:00
Joshua Peek
24ad9ae3d2
Cleanup route reloading in tests. Prefer with_routing over using ActionController::Routing::Routes directly
2009-08-16 21:14:26 -05:00
Ross Kaffenburger and Bryan Helmkamp
256b0ee8e3
Don't check authenticity tokens for any AJAX requests
2009-04-15 16:04:21 -07:00
Jeremy Kemper
1c36172c13
Ruby 1.9 compat: rename deprecated assert_raises to assert_raise.
...
[#1617 state:resolved]
2009-03-08 13:11:58 -07:00
Michael Koziarski
9fdb15e60f
Change the forgery token implementation to just be a simple random string.
...
This deprecates the use of :secret and :digest which were only needed when we were hashing session ids.
2008-11-23 14:28:34 +01:00
Jeremy Kemper
eeea1a26ec
Merge branch 'master' into testing
2008-11-15 12:21:04 -08:00
Jeff Cohen
fbbcd6f29a
Changed request forgery protection to only worry about HTML-formatted content requests.
...
Signed-off-by: Michael Koziarski <michael@koziarski.com>
2008-11-13 11:23:21 +01:00
Jeremy Kemper
c82e8e1f48
Move controller assertions from base TestCase to AC:: and AV::TestCase
2008-11-07 15:42:34 -05:00
rick
74fd17346f
Merge branch 'master' of git@github.com:rails/rails
2008-05-13 09:41:10 -07:00
Peter Jones
2a986200b9
Bug: Earlier Check for Session in Forgery Protection
...
The session is used by the form_authenticity_token method before it is
tested to be valid. This patch moves a few lines around so that the
session is validated first.
Without this patch, if you try to use forgery protection with sessions
turned off, you get this exception message:
undefined method `session_id' for {}:Hash
The patch includes a test that can be used to see this behavior before
the request_forgery_protection.rb file is patched to fix it.
2008-05-11 13:27:34 -05:00
rick
c8451aeeea
change ActionController::RequestForgeryProtection to use Mime::Type#verify_request? [ #73 ]
2008-05-06 02:58:32 -07:00
rick
0697d17d12
Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [ #73 state:resolved]
2008-05-06 00:42:24 -07:00
Michael Koziarski
5ef8a81b84
Don't append the forgery token to an ajax request if it's serializing a form, prevents duplicate tokens. Closes #10684 [macournoyer]
...
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-01-08 21:17:08 +00:00
Jeremy Kemper
9d755f1983
require abstract_unit directly since test is in load path
...
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-01-05 13:32:06 +00:00
Jeremy Kemper
0ee1cb2cd3
Ruby 1.9 compat, consistent load paths
...
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-10-02 05:32:14 +00:00
Rick Olson
82ff27766d
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick]
...
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 16:50:48 +00:00
Michael Koziarski
c1bdf027d8
Add missing require
...
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 16:48:59 +00:00
Rick Olson
5edc81dcc2
Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo]
...
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 15:55:45 +00:00
David Heinemeier Hansson
82c1fed89f
Protect button_to behind protect_from_forgery ( closes #9675 ) [lifo]
...
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-25 16:50:35 +00:00
David Heinemeier Hansson
bdf5672077
Change from InvalidToken to InvalidAuthenticityToken to be more specific
...
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7623 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-24 23:12:25 +00:00
Rick Olson
c619003854
Rename some RequestForgeryProtection methods. The class method is now #protect_from_forgery, and the default parameter is now 'authenticity_token'. [Rick]
...
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7596 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-23 18:14:44 +00:00
Rick Olson
4e3ed5bc44
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick]
...
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-23 02:32:55 +00:00