aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoost Baaij <joost@spacebabies.nl>2010-08-26 23:03:30 +0200
committerJoost Baaij <joost@spacebabies.nl>2010-08-26 23:03:30 +0200
commitc28d46a92d1ed91fe929871f5e0e4adcda46c2a7 (patch)
tree6eb6714811a0b9758a91ec1ae34c9ab7e6dc3eb1
parentca36326706edc6cc2ceffa18d093ba799cc65caf (diff)
downloadrails-c28d46a92d1ed91fe929871f5e0e4adcda46c2a7.tar.gz
rails-c28d46a92d1ed91fe929871f5e0e4adcda46c2a7.tar.bz2
rails-c28d46a92d1ed91fe929871f5e0e4adcda46c2a7.zip
Reflect how CSRF protection now works and refer to the Security Guide for more information
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb54
1 files changed, 18 insertions, 36 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index b632e7aab6..fc3118671f 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -4,45 +4,27 @@ module ActionController #:nodoc:
class InvalidAuthenticityToken < ActionControllerError #:nodoc:
end
- # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
- # web application, not a forged link from another site, is done by embedding a token based on a random
- # string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated
- # by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript
- # requests are checked, so this will not protect your XML API (presumably you'll have a different
- # authentication scheme there anyway). Also, GET requests are not protected as these should be
- # idempotent anyway.
+ # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
+ # by including a token in the rendered html for your application. This token is
+ # stored as a random string in the session, to which an attacker does not have
+ # access. When a request reaches your application, \Rails then verifies the received
+ # token with the token in the session. Only HTML and javascript requests are checked,
+ # so this will not protect your XML API (presumably you'll have a different
+ # authentication scheme there anyway). Also, GET requests are not protected as these
+ # should be idempotent.
#
- # This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
- # ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
- # error message in production by editing public/422.html. A call to this method in ApplicationController is
- # generated by default in post-Rails 2.0 applications.
+ # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method,
+ # which will check the token and raise an ActionController::InvalidAuthenticityToken
+ # if it doesn't match what was expected. A call to this method is generated for new
+ # \Rails applications by default. You can customize the error message by editing
+ # public/422.html.
#
- # The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
- # manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
- # include a hidden field named like that and set its value to what is returned by
- # <tt>form_authenticity_token</tt>.
- #
- # Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
- # 1.x, add this to config/environments/test.rb:
- #
- # # Disable request forgery protection in test environment
- # config.action_controller.allow_forgery_protection = false
- #
- # == Learn more about CSRF (Cross-Site Request Forgery) attacks
- #
- # Here are some resources:
- # * http://isc.sans.org/diary.html?storyid=1750
- # * http://en.wikipedia.org/wiki/Cross-site_request_forgery
- #
- # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
- # There are a few guidelines you should follow:
- #
- # * Keep your GET requests safe and idempotent. More reading material:
- # * http://www.xml.com/pub/a/2002/04/24/deviant.html
- # * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
- # * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look
- # for "Expires: at end of session"
+ # The token parameter is named <tt>authenticity_token</tt> by default. The name and
+ # value of this token must be added to every layout that renders forms by including
+ # <tt>csrf_meta_tag</tt> in the html +head+.
#
+ # Learn more about CSRF attacks and securing your application in the
+ # {Ruby on Rails Security Guide}[http://guides.rubyonrails.org/security.html].
module RequestForgeryProtection
extend ActiveSupport::Concern