aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRafael Mendonça França <rafaelmfranca@gmail.com>2018-04-06 14:28:44 -0400
committerRafael Mendonça França <rafaelmfranca@gmail.com>2018-04-06 14:28:44 -0400
commit03bd370c02a8fa83ab6dd01bdd99fe342c523b81 (patch)
tree8ab9d87256869150a3c113534bac9b9f25855a12
parentb71b8ecc4eeb7b93c4143e729cf8b06c39c63fcb (diff)
downloadrails-03bd370c02a8fa83ab6dd01bdd99fe342c523b81.tar.gz
rails-03bd370c02a8fa83ab6dd01bdd99fe342c523b81.tar.bz2
rails-03bd370c02a8fa83ab6dd01bdd99fe342c523b81.zip
Protect all active storage controllers agains CSRF
Before it was possible to for example use the direct upload controller without using the site.
-rw-r--r--activestorage/app/controllers/active_storage/base_controller.rb6
-rw-r--r--activestorage/app/controllers/active_storage/blobs_controller.rb2
-rw-r--r--activestorage/app/controllers/active_storage/direct_uploads_controller.rb2
-rw-r--r--activestorage/app/controllers/active_storage/disk_controller.rb4
-rw-r--r--activestorage/app/controllers/active_storage/representations_controller.rb2
5 files changed, 11 insertions, 5 deletions
diff --git a/activestorage/app/controllers/active_storage/base_controller.rb b/activestorage/app/controllers/active_storage/base_controller.rb
new file mode 100644
index 0000000000..ba825883b9
--- /dev/null
+++ b/activestorage/app/controllers/active_storage/base_controller.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+# The base controller for all ActiveStorage controllers.
+class ActiveStorage::BaseController < ActionController::Base
+ protect_from_forgery with: :exception
+end
diff --git a/activestorage/app/controllers/active_storage/blobs_controller.rb b/activestorage/app/controllers/active_storage/blobs_controller.rb
index fa44131048..92e54c386d 100644
--- a/activestorage/app/controllers/active_storage/blobs_controller.rb
+++ b/activestorage/app/controllers/active_storage/blobs_controller.rb
@@ -4,7 +4,7 @@
# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
# security-through-obscurity factor of the signed blob references, you'll need to implement your own
# authenticated redirection controller.
-class ActiveStorage::BlobsController < ActionController::Base
+class ActiveStorage::BlobsController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
def show
diff --git a/activestorage/app/controllers/active_storage/direct_uploads_controller.rb b/activestorage/app/controllers/active_storage/direct_uploads_controller.rb
index 205d173648..cbe2cf2c35 100644
--- a/activestorage/app/controllers/active_storage/direct_uploads_controller.rb
+++ b/activestorage/app/controllers/active_storage/direct_uploads_controller.rb
@@ -3,7 +3,7 @@
# Creates a new blob on the server side in anticipation of a direct-to-service upload from the client side.
# When the client-side upload is completed, the signed_blob_id can be submitted as part of the form to reference
# the blob that was created up front.
-class ActiveStorage::DirectUploadsController < ActionController::Base
+class ActiveStorage::DirectUploadsController < ActiveStorage::BaseController
def create
blob = ActiveStorage::Blob.create_before_direct_upload!(blob_args)
render json: direct_upload_json(blob)
diff --git a/activestorage/app/controllers/active_storage/disk_controller.rb b/activestorage/app/controllers/active_storage/disk_controller.rb
index a7e10c0696..7bc5eb3fdb 100644
--- a/activestorage/app/controllers/active_storage/disk_controller.rb
+++ b/activestorage/app/controllers/active_storage/disk_controller.rb
@@ -4,8 +4,8 @@
# This means using expiring, signed URLs that are meant for immediate access, not permanent linking.
# Always go through the BlobsController, or your own authenticated controller, rather than directly
# to the service url.
-class ActiveStorage::DiskController < ActionController::Base
- skip_forgery_protection if default_protect_from_forgery
+class ActiveStorage::DiskController < ActiveStorage::BaseController
+ skip_forgery_protection
def show
if key = decode_verified_key
diff --git a/activestorage/app/controllers/active_storage/representations_controller.rb b/activestorage/app/controllers/active_storage/representations_controller.rb
index e0e944dc9c..ce9286db7d 100644
--- a/activestorage/app/controllers/active_storage/representations_controller.rb
+++ b/activestorage/app/controllers/active_storage/representations_controller.rb
@@ -4,7 +4,7 @@
# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
# security-through-obscurity factor of the signed blob and variation reference, you'll need to implement your own
# authenticated redirection controller.
-class ActiveStorage::RepresentationsController < ActionController::Base
+class ActiveStorage::RepresentationsController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
def show