Merge pull request #18917 from lautis/non-string-csrf-token

Handle non-string authenticity tokens
author: Rafael Mendonça França <rafaelmfranca@gmail.com> 2015-02-18 19:37:24 -0200
committer: Rafael Mendonça França <rafaelmfranca@gmail.com> 2015-02-18 19:37:24 -0200
commit: fb876b8a2c9445dc989742a8ea64f8fdcbc7705e (patch)
tree: 039d86b6d23cdec5feefc532c23b4b9cbf798a92
parent: 4ffe46f5fe957cb39eb93fc9120fab2dc951b384 (diff)
parent: bf067b41e58409240a0370993069eb8820ca12a6 (diff)
download: rails-fb876b8a2c9445dc989742a8ea64f8fdcbc7705e.tar.gz
rails-fb876b8a2c9445dc989742a8ea64f8fdcbc7705e.tar.bz2
rails-fb876b8a2c9445dc989742a8ea64f8fdcbc7705e.zip
3 files changed, 13 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 268f037bfe..055d4b4f5b 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+*   Non-string authenticity tokens do not raise NoMethodError when decoding
+    the masked token.
+
+    *Ville Lautanala*
+
 *   Add http_cache_forever to Action Controller, so we can cache a response that never gets expired.
 
     *arthurnn*
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 7facbe79aa..7a7e2431b2 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -279,7 +279,7 @@ module ActionController #:nodoc:
 
         begin
           masked_token = Base64.strict_decode64(encoded_masked_token)
-        rescue ArgumentError # encoded_masked_token is invalid Base64
+        rescue ArgumentError, NoMethodError # encoded_masked_token is invalid Base64
           return false
         end
 
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 88155bb404..8887f291cf 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -374,6 +374,13 @@ module RequestForgeryProtectionTests
     end
   end
 
+  def test_should_not_raise_error_if_token_is_not_a_string
+    @controller.unstub(:valid_authenticity_token?)
+    assert_blocked do
+      patch :index, params: { custom_authenticity_token: { foo: 'bar' } }
+    end
+  end
+
   def assert_blocked
     session[:something_like_user_id] = 1
     yield
author	Rafael Mendonça França <rafaelmfranca@gmail.com>	2015-02-18 19:37:24 -0200
committer	Rafael Mendonça França <rafaelmfranca@gmail.com>	2015-02-18 19:37:24 -0200
commit	fb876b8a2c9445dc989742a8ea64f8fdcbc7705e (patch)
tree	039d86b6d23cdec5feefc532c23b4b9cbf798a92
parent	4ffe46f5fe957cb39eb93fc9120fab2dc951b384 (diff)
parent	bf067b41e58409240a0370993069eb8820ca12a6 (diff)
download	rails-fb876b8a2c9445dc989742a8ea64f8fdcbc7705e.tar.gz rails-fb876b8a2c9445dc989742a8ea64f8fdcbc7705e.tar.bz2 rails-fb876b8a2c9445dc989742a8ea64f8fdcbc7705e.zip