diff options
| author | Lisa Ugray <lisa.ugray@shopify.com> | 2017-07-10 11:12:45 -0400 |
|---|---|---|
| committer | Lisa Ugray <lisa.ugray@shopify.com> | 2017-07-10 16:23:47 -0400 |
| commit | ec4a836919c021c0a5cf9ebeebb4db5e02104a55 (patch) | |
| tree | ae03e9e4fdff6d55fec6477e4a50c5f9750c9bd7 /actionpack | |
| parent | b6300f3ecc79bff29cf9bb804a30fd92403feac1 (diff) | |
| download | rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.tar.gz rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.tar.bz2 rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.zip | |
Protect from forgery by default
Rather than protecting from forgery in the generated
ApplicationController, add it to ActionController::Base by config. This
configuration defaults to false to support older versions which have
removed it from their ApplicationController, but is set to true for
Rails 5.2.
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG.md | 10 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 4 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/railtie.rb | 8 |
3 files changed, 22 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index f8fd2403ef..59a7f12ac6 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,13 @@ +* Protect from forgery by default + + Rather than protecting from forgery in the generated ApplicationController, + add it to ActionController::Base depending on + `config.action_controller.default_protect_from_forgery`. This configuration + defaults to false to support older versions which have removed it from their + ApplicationController, but is set to true for Rails 5.2. + + *Lisa Ugray* + * Fallback `ActionController::Parameters#to_s` to `Hash#to_s`. *Kir Shatrov* diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 4468cbb2fc..117dee2219 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -85,6 +85,10 @@ module ActionController #:nodoc: config_accessor :per_form_csrf_tokens self.per_form_csrf_tokens = false + # Controls whether forgery protection is enabled by default. + config_accessor :default_protect_from_forgery + self.default_protect_from_forgery = false + helper_method :form_authenticity_token helper_method :protect_against_forgery? end diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb index 31db7518f1..1c1cd58732 100644 --- a/actionpack/lib/action_controller/railtie.rb +++ b/actionpack/lib/action_controller/railtie.rb @@ -69,5 +69,13 @@ module ActionController config.compile_methods! if config.respond_to?(:compile_methods!) end end + + initializer "action_controller.request_forgery_protection" do |app| + ActiveSupport.on_load(:action_controller_base) do + if app.config.action_controller.default_protect_from_forgery + protect_from_forgery with: :exception + end + end + end end end |