Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

3 files changed, 81 insertions, 1 deletions

diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index 4630103119..d6dd698c6e 100755
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -326,6 +326,10 @@ module ActionController #:nodoc:
     # Controls the resource action separator
     @@resource_action_separator = "/"
     cattr_accessor :resource_action_separator
+    
+    # Sets the token parameter name for RequestForgery.  Calling #verify_token sets it to :_token by default
+    @@request_forgery_protection_token = nil
+    cattr_accessor :request_forgery_protection_token
 
     # Holds the request object that's primarily used to get environment variables through access like
     # <tt>request.env["REQUEST_URI"]</tt>.
diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb
new file mode 100644
index 0000000000..9aef1ae833
--- /dev/null
+++ b/actionpack/lib/action_controller/request_forgery_protection.rb
@@ -0,0 +1,75 @@
+module ActionController #:nodoc:
+  class InvalidToken < ActionControllerError; end
+
+  # Protect a controller's actions with the #verify_token method.  Failure to validate will result in a ActionController::InvalidToken 
+  # exception.  Customize the error message through the use of rescue_templates and rescue_action_in_public.
+  #
+  #   class FooController < ApplicationController
+  #     # uses the cookie session store
+  #     verify_token :except => :index
+  #
+  #     # uses one of the other session stores that uses a session_id value.
+  #     verify_token :secret => 'my-little-pony', :except => :index
+  #   end
+  #
+  # Valid Options:
+  #
+  # * <tt>:only/:except</tt> - passed to the before_filter call.  Set which actions are verified.
+  # * <tt>:secret</tt> - Custom salt used to generate the form_token.  Leave this off if you are using the cookie session store.
+  # * <tt>:digest</tt> - Message digest used for hashing.  Defaults to 'SHA1'
+  module RequestForgeryProtection
+    def self.included(base)
+      base.class_eval do
+        class_inheritable_accessor :verify_token_options
+        self.verify_token_options = {}
+        helper_method :form_token
+      end
+      base.extend(ClassMethods)
+    end
+    
+    module ClassMethods
+      def verify_token(options = {})
+        self.request_forgery_protection_token ||= :_token
+        before_filter :verify_request_token, :only => options.delete(:only), :except => options.delete(:except)
+        verify_token_options.update(options)
+      end
+    end
+
+    protected
+      # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
+      def verify_request_token
+        verified_request? || raise(ActionController::InvalidToken)
+      end
+      
+      # Returns true or false if a request is verified.  Checks:
+      #
+      # * is the format restricted?  By default, only HTML and AJAX requests are checked.
+      # * is it a GET request?  Gets should be safe and idempotent
+      # * Does the form_token match the given _token value from the params?
+      def verified_request?
+        request_forgery_protection_token.nil? || request.method == :get || !verifiable_request_format? || form_token == params[request_forgery_protection_token]
+      end
+    
+      def verifiable_request_format?
+        request.format.html? || request.format.js?
+      end
+    
+      # Sets the token value for the current session.  Pass a :secret option in #verify_token to add a custom salt to the hash.
+      def form_token
+        @form_token ||= verify_token_options[:secret] ? token_from_session_id : token_from_cookie_session
+      end
+      
+      # Generates a unique digest using the session_id and the CSRF secret.
+      def token_from_session_id
+        key    = verify_token_options[:secret].respond_to?(:call) ? verify_token_options[:secret].call(@session) : verify_token_options[:secret]
+        digest = verify_token_options[:digest] || 'SHA1'
+        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s)
+      end
+      
+      # No secret was given, so assume this is a cookie session store.
+      def token_from_cookie_session
+        session[:csrf_id] ||= CGI::Session.generate_unique_id
+        session.dbman.generate_digest(session[:csrf_id])
+      end
+  end
+end
\ No newline at end of file
diff --git a/actionpack/lib/action_controller/rescue.rb b/actionpack/lib/action_controller/rescue.rb
index 8cffc90d33..c1d2152acb 100644
--- a/actionpack/lib/action_controller/rescue.rb
+++ b/actionpack/lib/action_controller/rescue.rb
@@ -20,7 +20,8 @@ module ActionController #:nodoc:
       'ActiveRecord::RecordInvalid'        => :unprocessable_entity,
       'ActiveRecord::RecordNotSaved'       => :unprocessable_entity,
       'ActionController::MethodNotAllowed' => :method_not_allowed,
-      'ActionController::NotImplemented'   => :not_implemented
+      'ActionController::NotImplemented'   => :not_implemented,
+      'ActionController::InvalidToken'     => :unprocessable_entity
     }
 
     DEFAULT_RESCUE_TEMPLATE = 'diagnostics'