diff options
| author | Sean Griffin <sean@seantheprogrammer.com> | 2017-12-07 14:19:39 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-12-07 14:19:39 -0700 |
| commit | e88e6cea2113ce3e54410cbd8c2da92b86f83d2b (patch) | |
| tree | 2c1b6cc96b6c0180382c20bb09162118cc697708 /actionpack/test/controller | |
| parent | e8286ee272a3e51daebc198519accd1f6895a8d2 (diff) | |
| parent | acdba1c6a653bf5c787d3457af95b37708be1e2b (diff) | |
| download | rails-e88e6cea2113ce3e54410cbd8c2da92b86f83d2b.tar.gz rails-e88e6cea2113ce3e54410cbd8c2da92b86f83d2b.tar.bz2 rails-e88e6cea2113ce3e54410cbd8c2da92b86f83d2b.zip | |
Merge pull request #30780 from JackMc/fix-chrome-referrer-invalidauthenticitytoken
Fix issue #30658 by checking explicitly for 'null' referrer
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index eb3d2f34a8..4822d85bcb 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -446,6 +446,19 @@ module RequestForgeryProtectionTests end end + def test_should_raise_for_post_with_null_origin + forgery_protection_origin_check do + session[:_csrf_token] = @token + @controller.stub :form_authenticity_token, @token do + exception = assert_raises(ActionController::InvalidAuthenticityToken) do + @request.set_header "HTTP_ORIGIN", "null" + post :index, params: { custom_authenticity_token: @token } + end + assert_match "The browser returned a 'null' origin for a request", exception.message + end + end + end + def test_should_block_post_with_origin_checking_and_wrong_origin old_logger = ActionController::Base.logger logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new |