diff options
author | Jeremy Daer <jeremydaer@gmail.com> | 2016-04-25 21:03:33 -0500 |
---|---|---|
committer | Jeremy Daer <jeremydaer@gmail.com> | 2016-04-25 21:03:33 -0500 |
commit | 9364d50654a791e6405b0a14854ab08cd5420cab (patch) | |
tree | 362b185e776db2981df4d7eee1338f796732bdb9 | |
parent | 420730b10b46be7e40d806007bb28d3b17c7519f (diff) | |
parent | 60c6b538170ce35cc8ff8382bef2f082868b4b09 (diff) | |
download | rails-9364d50654a791e6405b0a14854ab08cd5420cab.tar.gz rails-9364d50654a791e6405b0a14854ab08cd5420cab.tar.bz2 rails-9364d50654a791e6405b0a14854ab08cd5420cab.zip |
Merge pull request #24641 from rafaelfranca/fix-per-form-token-with-full-url
Discart the schema and host information when building the per-form token
-rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 3 | ||||
-rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 13 |
2 files changed, 15 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 5793e28175..f7e8d06f10 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -405,7 +405,8 @@ module ActionController #:nodoc: end def normalize_action_path(action_path) - action_path.split('?').first.to_s.chomp('/') + uri = URI.parse(action_path) + uri.path.chomp('/') end end end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index f7dcbc1984..d56241f9cd 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -781,6 +781,19 @@ class PerFormTokensControllerTest < ActionController::TestCase assert_response :success end + def test_ignores_origin_during_generation + get :index, params: {form_path: 'https://example.com/per_form_tokens/post_one/'} + + form_token = assert_presence_and_fetch_form_csrf_token + + # This is required because PATH_INFO isn't reset between requests. + @request.env['PATH_INFO'] = '/per_form_tokens/post_one' + assert_nothing_raised do + post :post_one, params: {custom_authenticity_token: form_token} + end + assert_response :success + end + def test_ignores_trailing_slash_during_validation get :index |