diff options
author | Matthew Caruana Galizia <mattcg@gmail.com> | 2016-05-20 16:25:02 +0200 |
---|---|---|
committer | Jeremy Daer <jeremydaer@gmail.com> | 2016-05-23 10:21:30 -0700 |
commit | 683b9627b3ad51f14457b580d0d988715b202f96 (patch) | |
tree | 77584ae3df893a3d8532eff0868861f8168feb7d /actionpack/lib | |
parent | 61483b18bcbfaa054113a67f40515c7bf3e892b2 (diff) | |
download | rails-683b9627b3ad51f14457b580d0d988715b202f96.tar.gz rails-683b9627b3ad51f14457b580d0d988715b202f96.tar.bz2 rails-683b9627b3ad51f14457b580d0d988715b202f96.zip |
Respect `log_warning_on_csrf_failure` setting for all CSRF failures
CSRF verification for non-XHR GET requests (cross-origin `<script>`
tags) didn't check this flag before logging failures.
Setting `config.action_controller.log_warning_on_csrf_failure = false`
now disables logging for these CSRF failures as well.
Closes #25086.
Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
Diffstat (limited to 'actionpack/lib')
-rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index f7e8d06f10..0559fbc6ce 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -235,7 +235,9 @@ module ActionController #:nodoc: # we aren't serving an unauthorized cross-origin response. def verify_same_origin_request if marked_for_same_origin_verification? && non_xhr_javascript_response? - logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger + if logger && log_warning_on_csrf_failure + logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING + end raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING end end |