Fix protect_against_forgery

2 files changed, 30 insertions, 1 deletions

diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb
index 6a3afbb157..2626a31fc2 100644
--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@@ -52,7 +52,9 @@ module ActionController
       ac.stylesheets_dir = paths.public.stylesheets.to_a.first
       ac.secret          = app.config.cookie_secret
 
-      ActionController.base_hook { self.config.replace(ac) }
+      ActionController.base_hook do
+        self.config.merge!(ac)
+      end
     end
 
     initializer "action_controller.initialize_framework_caches" do
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index 54cd751f4e..1b6c657d6d 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -228,5 +228,32 @@ module ApplicationTests
       get "/"
       assert_equal File.expand_path(__FILE__), last_response.headers["X-Lighttpd-Send-File"]
     end
+
+    test "protect from forgery is the default in a new app" do
+      require "rails"
+      require "action_controller/railtie"
+
+      class MyApp < Rails::Application
+        config.session_store :disabled
+
+        routes.draw do
+          match "/" => "omg#index"
+        end
+
+        class ::OmgController < ActionController::Base
+          protect_from_forgery
+
+          def index
+            render :inline => "<%= csrf_meta_tag %>"
+          end
+        end
+      end
+
+      require 'rack/test'
+      extend Rack::Test::Methods
+
+      get "/"
+      assert last_response.body =~ /csrf\-param/
+    end
   end
 end