diff options
| author | Vipul A M <vipulnsward@gmail.com> | 2016-02-18 17:38:19 +0530 |
|---|---|---|
| committer | Vipul A M <vipulnsward@gmail.com> | 2016-02-21 23:20:55 +0530 |
| commit | 92203d754f535c01c5ec3175627425d20e3d2839 (patch) | |
| tree | d699582ee11ce7e5c1fbec4310527a033d87a05d /actionpack/test/controller | |
| parent | 3156a7692c3c51adb846252192364172b05bd67f (diff) | |
| download | rails-92203d754f535c01c5ec3175627425d20e3d2839.tar.gz rails-92203d754f535c01c5ec3175627425d20e3d2839.tar.bz2 rails-92203d754f535c01c5ec3175627425d20e3d2839.zip | |
Fixed passing of delete method on button_to tag, creating wrong form csrf token
Fixes #23524
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 1984ad8825..6dc4f3fe51 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -136,6 +136,10 @@ class PerFormTokensController < ActionController::Base render inline: "<%= form_tag (params[:form_path] || '/per_form_tokens/post_one'), method: (params[:form_method] || :post) %>" end + def button_to + render inline: "<%= button_to 'Button', (params[:form_path] || '/per_form_tokens/post_one'), method: (params[:form_method] || :post) %>" + end + def post_one render plain: '' end @@ -710,6 +714,46 @@ class PerFormTokensControllerTest < ActionController::TestCase end end + def test_rejects_token_for_incorrect_method_button_to + get :button_to, params: { form_method: 'delete' } + + form_token = nil + assert_select 'input[name=custom_authenticity_token]' do |elts| + form_token = elts.first['value'] + assert_not_nil form_token + end + + actual = @controller.send(:unmask_token, Base64.strict_decode64(form_token)) + expected = @controller.send(:per_form_csrf_token, session, '/per_form_tokens/post_one', 'delete') + assert_equal expected, actual + + # This is required because PATH_INFO isn't reset between requests. + @request.env['PATH_INFO'] = '/per_form_tokens/post_one' + assert_raises(ActionController::InvalidAuthenticityToken) do + patch :post_one, params: { custom_authenticity_token: form_token } + end + end + + def test_accepts_proper_token_for_delete_method_button_to + get :button_to, params: { form_method: 'delete' } + + form_token = nil + assert_select 'input[name=custom_authenticity_token]' do |elts| + form_token = elts.first['value'] + assert_not_nil form_token + end + + actual = @controller.send(:unmask_token, Base64.strict_decode64(form_token)) + expected = @controller.send(:per_form_csrf_token, session, '/per_form_tokens/post_one', 'delete') + assert_equal expected, actual + + # This is required because PATH_INFO isn't reset between requests. + @request.env['PATH_INFO'] = '/per_form_tokens/post_one' + assert_nothing_raised do + delete :post_one, params: { custom_authenticity_token: form_token } + end + end + def test_accepts_global_csrf_token get :index |