diff options
| author | Jeffrey Guenther <guenther.jeffrey@gmail.com> | 2017-12-08 13:25:54 -0800 |
|---|---|---|
| committer | Jeffrey Guenther <guenther.jeffrey@gmail.com> | 2017-12-08 13:25:54 -0800 |
| commit | a822287cefc38b9b8b3be38ffd775cd3d511b7c3 (patch) | |
| tree | d69c6ea1fcc4299caa11bcbef2ce5520347a4f46 /actionpack/lib/action_controller | |
| parent | 08fab27db52aa375df85a23e89799600f785b9d4 (diff) | |
| parent | da8e0ba03cbae33857954c0c1a228bd6dae562da (diff) | |
| download | rails-a822287cefc38b9b8b3be38ffd775cd3d511b7c3.tar.gz rails-a822287cefc38b9b8b3be38ffd775cd3d511b7c3.tar.bz2 rails-a822287cefc38b9b8b3be38ffd775cd3d511b7c3.zip | |
Merge branch 'master' into activestorage-guide
Diffstat (limited to 'actionpack/lib/action_controller')
| -rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 10 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/metal/strong_parameters.rb | 2 |
2 files changed, 11 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 04fadc90e2..767eddb361 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -415,11 +415,21 @@ module ActionController #:nodoc: allow_forgery_protection end + NULL_ORIGIN_MESSAGE = <<-MSG.strip_heredoc + The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually + means you have the 'no-referrer' Referrer-Policy header enabled, or that you the request came from a site that + refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the + best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin. + If you cannot change the referrer policy, you can disable origin checking with the + Rails.application.config.action_controller.forgery_protection_origin_check setting. + MSG + # Checks if the request originated from the same origin by looking at the # Origin header. def valid_request_origin? # :doc: if forgery_protection_origin_check # We accept blank origin headers because some user agents don't send it. + raise InvalidAuthenticityToken, NULL_ORIGIN_MESSAGE if request.origin == "null" request.origin.nil? || request.origin == request.base_url else true diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index ef7c4c4c16..a56ac749f8 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -335,7 +335,7 @@ module ActionController # the same way as <tt>Hash#each_pair</tt>. def each_pair(&block) @parameters.each_pair do |key, value| - yield key, convert_hashes_to_parameters(key, value) + yield [key, convert_hashes_to_parameters(key, value)] end end alias_method :each, :each_pair |