aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/request_forgery_protection.rb
diff options
context:
space:
mode:
authorJon Leighton <j@jonathanleighton.com>2017-04-06 16:03:35 +0100
committerJon Leighton <j@jonathanleighton.com>2017-04-06 16:03:35 +0100
commita500b4796f86b05b3fece414f090a496d3cb4298 (patch)
treede4d65fcb3dd0aa3da662c36e67122dcbe2d94ef /actionpack/lib/action_controller/metal/request_forgery_protection.rb
parentfd097cff79c62fedabffae4e9f0fb53c2ec8bcbe (diff)
downloadrails-a500b4796f86b05b3fece414f090a496d3cb4298.tar.gz
rails-a500b4796f86b05b3fece414f090a496d3cb4298.tar.bz2
rails-a500b4796f86b05b3fece414f090a496d3cb4298.zip
Improve logging when Origin header doesn't match
I came up against this while dealing with a misconfigured server. The browser was setting the Origin header to "https://example.com", but the Rails app returned "http://example.com" from request.base_url (because it was failing to detect that HTTPS was used). This caused verify_authenticity_token to fail, but the message in the log was "Can't verify CSRF token", which is confusing because the failure had nothing to do with the CSRF token sent in the request. This made it very hard to identify the issue, so hopefully this will make it more obvious for the next person.
Diffstat (limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb6
1 files changed, 5 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index d9a8b9c12d..5051c02a62 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -213,7 +213,11 @@ module ActionController #:nodoc:
if !verified_request?
if logger && log_warning_on_csrf_failure
- logger.warn "Can't verify CSRF token authenticity."
+ if valid_request_origin?
+ logger.warn "Can't verify CSRF token authenticity."
+ else
+ logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
+ end
end
handle_unverified_request
end