aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
authorJeremy Daer <jeremydaer@gmail.com>2016-04-25 21:03:33 -0500
committerJeremy Daer <jeremydaer@gmail.com>2016-04-25 21:03:33 -0500
commit9364d50654a791e6405b0a14854ab08cd5420cab (patch)
tree362b185e776db2981df4d7eee1338f796732bdb9 /actionpack
parent420730b10b46be7e40d806007bb28d3b17c7519f (diff)
parent60c6b538170ce35cc8ff8382bef2f082868b4b09 (diff)
downloadrails-9364d50654a791e6405b0a14854ab08cd5420cab.tar.gz
rails-9364d50654a791e6405b0a14854ab08cd5420cab.tar.bz2
rails-9364d50654a791e6405b0a14854ab08cd5420cab.zip
Merge pull request #24641 from rafaelfranca/fix-per-form-token-with-full-url
Discart the schema and host information when building the per-form token
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb3
-rw-r--r--actionpack/test/controller/request_forgery_protection_test.rb13
2 files changed, 15 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 5793e28175..f7e8d06f10 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -405,7 +405,8 @@ module ActionController #:nodoc:
end
def normalize_action_path(action_path)
- action_path.split('?').first.to_s.chomp('/')
+ uri = URI.parse(action_path)
+ uri.path.chomp('/')
end
end
end
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index f7dcbc1984..d56241f9cd 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -781,6 +781,19 @@ class PerFormTokensControllerTest < ActionController::TestCase
assert_response :success
end
+ def test_ignores_origin_during_generation
+ get :index, params: {form_path: 'https://example.com/per_form_tokens/post_one/'}
+
+ form_token = assert_presence_and_fetch_form_csrf_token
+
+ # This is required because PATH_INFO isn't reset between requests.
+ @request.env['PATH_INFO'] = '/per_form_tokens/post_one'
+ assert_nothing_raised do
+ post :post_one, params: {custom_authenticity_token: form_token}
+ end
+ assert_response :success
+ end
+
def test_ignores_trailing_slash_during_validation
get :index