diff options
| author | John Barton (joho) <jrbarton@gmail.com> | 2014-03-05 11:24:51 +1100 |
|---|---|---|
| committer | John Barton (joho) <jrbarton@gmail.com> | 2014-03-05 11:31:57 +1100 |
| commit | 67584c6ae37c88f8abba6f4fbdeedc7c1a6dfa1b (patch) | |
| tree | 6c41b63806c25e48f96db2f5bfc26cb2ebda085c /actionpack | |
| parent | 475c96589ca65282e1a61350271c2f83f0d4044f (diff) | |
| download | rails-67584c6ae37c88f8abba6f4fbdeedc7c1a6dfa1b.tar.gz rails-67584c6ae37c88f8abba6f4fbdeedc7c1a6dfa1b.tar.bz2 rails-67584c6ae37c88f8abba6f4fbdeedc7c1a6dfa1b.zip | |
Make CSRF failure logging optional/configurable.
Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG.md | 5 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 8 | ||||
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 16 |
3 files changed, 28 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 66cef08b1b..ff3fafe173 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -2,5 +2,10 @@ `default_url_options` methods. *Tony Wooster* +* Make logging of CSRF failures optional (but on by default) with the + `log_warning_on_csrf_failure` configuration setting in + ActionController::RequestForgeryProtection + + *John Barton* Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes. diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index c88074d4c6..e3b1f5ae7c 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -68,6 +68,10 @@ module ActionController #:nodoc: config_accessor :allow_forgery_protection self.allow_forgery_protection = true if allow_forgery_protection.nil? + # Controls whether a CSRF failure logs a warning. On by default. + config_accessor :log_warning_on_csrf_failure + self.log_warning_on_csrf_failure = true + helper_method :form_authenticity_token helper_method :protect_against_forgery? end @@ -193,7 +197,9 @@ module ActionController #:nodoc: mark_for_same_origin_verification! if !verified_request? - logger.warn "Can't verify CSRF token authenticity" if logger + if logger && log_warning_on_csrf_failure + logger.warn "Can't verify CSRF token authenticity" + end handle_unverified_request end end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 1f5fc06410..99229b3baf 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -289,6 +289,22 @@ module RequestForgeryProtectionTests end end + def test_should_not_warn_if_csrf_logging_disabled + old_logger = ActionController::Base.logger + logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new + ActionController::Base.logger = logger + ActionController::Base.log_warning_on_csrf_failure = false + + begin + assert_blocked { post :index } + + assert_equal 0, logger.logged(:warn).size + ensure + ActionController::Base.logger = old_logger + ActionController::Base.log_warning_on_csrf_failure = true + end + end + def test_should_only_allow_same_origin_js_get_with_xhr_header assert_cross_origin_blocked { get :same_origin_js } assert_cross_origin_blocked { get :same_origin_js, format: 'js' } |