diff options
| -rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
| -rwxr-xr-x | actionpack/lib/action_controller/base.rb | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/request_forgery_protection.rb | 51 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/form_tag_helper.rb | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/prototype_helper.rb | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/url_helper.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 24 | ||||
| -rw-r--r-- | actionpack/test/template/text_helper_test.rb | 9 |
8 files changed, 50 insertions, 44 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 49fb5a1b3d..713e25396e 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Rename some RequestForgeryProtection methods. The class method is now #protect_from_forgery, and the default parameter is now 'authenticity_token'. [Rick] + * Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] * Secure #sanitize, #strip_tags, and #strip_links helpers against xss attacks. Closes #8877. [Rick, lifofifo, Jacques Distler] diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index d6dd698c6e..bd250af90e 100755 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -327,7 +327,7 @@ module ActionController #:nodoc: @@resource_action_separator = "/" cattr_accessor :resource_action_separator - # Sets the token parameter name for RequestForgery. Calling #verify_token sets it to :_token by default + # Sets the token parameter name for RequestForgery. Calling #protect_from_forgery sets it to :authenticity_token by default @@request_forgery_protection_token = nil cattr_accessor :request_forgery_protection_token diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 9aef1ae833..df84e33050 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -1,43 +1,43 @@ module ActionController #:nodoc: class InvalidToken < ActionControllerError; end - # Protect a controller's actions with the #verify_token method. Failure to validate will result in a ActionController::InvalidToken + # Protect a controller's actions with the #protect_from_forgery method. Failure to validate will result in a ActionController::InvalidToken # exception. Customize the error message through the use of rescue_templates and rescue_action_in_public. # # class FooController < ApplicationController # # uses the cookie session store - # verify_token :except => :index + # protect_from_forgery :except => :index # # # uses one of the other session stores that uses a session_id value. - # verify_token :secret => 'my-little-pony', :except => :index + # protect_from_forgery :secret => 'my-little-pony', :except => :index # end # # Valid Options: # # * <tt>:only/:except</tt> - passed to the before_filter call. Set which actions are verified. - # * <tt>:secret</tt> - Custom salt used to generate the form_token. Leave this off if you are using the cookie session store. + # * <tt>:secret</tt> - Custom salt used to generate the form_authenticity_token. Leave this off if you are using the cookie session store. # * <tt>:digest</tt> - Message digest used for hashing. Defaults to 'SHA1' module RequestForgeryProtection def self.included(base) base.class_eval do - class_inheritable_accessor :verify_token_options - self.verify_token_options = {} - helper_method :form_token + class_inheritable_accessor :request_forgery_protection_options + self.request_forgery_protection_options = {} + helper_method :form_authenticity_token end base.extend(ClassMethods) end module ClassMethods - def verify_token(options = {}) - self.request_forgery_protection_token ||= :_token - before_filter :verify_request_token, :only => options.delete(:only), :except => options.delete(:except) - verify_token_options.update(options) + def protect_from_forgery(options = {}) + self.request_forgery_protection_token ||= :authenticity_token + before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except) + request_forgery_protection_options.update(options) end end protected # The actual before_filter that is used. Modify this to change how you handle unverified requests. - def verify_request_token + def verify_authenticity_token verified_request? || raise(ActionController::InvalidToken) end @@ -45,9 +45,12 @@ module ActionController #:nodoc: # # * is the format restricted? By default, only HTML and AJAX requests are checked. # * is it a GET request? Gets should be safe and idempotent - # * Does the form_token match the given _token value from the params? + # * Does the form_authenticity_token match the given _token value from the params? def verified_request? - request_forgery_protection_token.nil? || request.method == :get || !verifiable_request_format? || form_token == params[request_forgery_protection_token] + request_forgery_protection_token.nil? || + request.method == :get || + !verifiable_request_format? || + form_authenticity_token == params[request_forgery_protection_token] end def verifiable_request_format? @@ -55,19 +58,27 @@ module ActionController #:nodoc: end # Sets the token value for the current session. Pass a :secret option in #verify_token to add a custom salt to the hash. - def form_token - @form_token ||= verify_token_options[:secret] ? token_from_session_id : token_from_cookie_session + def form_authenticity_token + @form_authenticity_token ||= if request_forgery_protection_options[:secret] + authenticity_token_from_session_id + else + authenticity_token_from_cookie_session + end end # Generates a unique digest using the session_id and the CSRF secret. - def token_from_session_id - key = verify_token_options[:secret].respond_to?(:call) ? verify_token_options[:secret].call(@session) : verify_token_options[:secret] - digest = verify_token_options[:digest] || 'SHA1' + def authenticity_token_from_session_id + key = if request_forgery_protection_options[:secret].respond_to?(:call) + request_forgery_protection_options[:secret].call(@session) + else + request_forgery_protection_options[:secret] + end + digest = request_forgery_protection_options[:digest] ||= 'SHA1' OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s) end # No secret was given, so assume this is a cookie session store. - def token_from_cookie_session + def authenticity_token_from_cookie_session session[:csrf_id] ||= CGI::Session.generate_unique_id session.dbman.generate_digest(session[:csrf_id]) end diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb index cb16131cc4..db74df26bf 100644 --- a/actionpack/lib/action_view/helpers/form_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb @@ -424,7 +424,7 @@ module ActionView if request_forgery_protection_token.nil? '' else - tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_token) + tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token) end end end diff --git a/actionpack/lib/action_view/helpers/prototype_helper.rb b/actionpack/lib/action_view/helpers/prototype_helper.rb index df28a0395b..c6669ccde3 100644 --- a/actionpack/lib/action_view/helpers/prototype_helper.rb +++ b/actionpack/lib/action_view/helpers/prototype_helper.rb @@ -745,7 +745,7 @@ module ActionView else js_options['parameters'] = "'" end - js_options['parameters'] << "_token=' + encodeURIComponent('#{escape_javascript form_token}')" + js_options['parameters'] << "#{request_forgery_protection_token}=' + encodeURIComponent('#{escape_javascript form_authenticity_token}')" end options_for_javascript(js_options) diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb index 02c5c40727..96e4fdda48 100644 --- a/actionpack/lib/action_view/helpers/url_helper.rb +++ b/actionpack/lib/action_view/helpers/url_helper.rb @@ -474,7 +474,7 @@ module ActionView if request_forgery_protection_token submit_function << "var s = document.createElement('input'); s.setAttribute('type', 'hidden'); " - submit_function << "s.setAttribute('name', '_token'); s.setAttribute('value', '#{escape_javascript form_token}'); f.appendChild(s);" + submit_function << "s.setAttribute('name', '#{request_forgery_protection_token}'); s.setAttribute('value', '#{escape_javascript form_authenticity_token}'); f.appendChild(s);" end submit_function << "f.submit();" end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 5c4dc1ee5f..59df4615c5 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -5,7 +5,7 @@ ActionController::Routing::Routes.draw do |map| end class RequestForgeryProtectionController < ActionController::Base - verify_token :only => :index, :secret => 'abc' + protect_from_forgery :only => :index, :secret => 'abc' def index render :inline => "<%= form_tag('/') {} %>" @@ -27,7 +27,7 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase def session_id() '123' end end @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123') - ActionController::Base.request_forgery_protection_token = :_token + ActionController::Base.request_forgery_protection_token = :authenticity_token end def teardown @@ -36,7 +36,7 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase def test_should_render_form_with_token_tag get :index - assert_select 'form>div>input[name=?][value=?]', '_token', @token + assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token end # Replace this with your real tests. @@ -75,17 +75,17 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase end def test_should_allow_post_with_token - post :index, :_token => @token + post :index, :authenticity_token => @token assert_response :success end def test_should_allow_put_with_token - put :index, :_token => @token + put :index, :authenticity_token => @token assert_response :success end def test_should_allow_delete_with_token - delete :index, :_token => @token + delete :index, :authenticity_token => @token assert_response :success end @@ -107,7 +107,7 @@ end # no token is given, assume the cookie store is used class CsrfCookieMonsterController < ActionController::Base - verify_token :only => :index + protect_from_forgery :only => :index def index render :inline => "<%= form_tag('/') {} %>" @@ -137,7 +137,7 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase attr_reader :dbman end @token = Digest::SHA1.hexdigest("secure") - ActionController::Base.request_forgery_protection_token = :_token + ActionController::Base.request_forgery_protection_token = :authenticity_token end def teardown @@ -146,7 +146,7 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase def test_should_render_form_with_token_tag get :index - assert_select 'form>div>input[name=?][value=?]', '_token', @token + assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token end # Replace this with your real tests. @@ -185,17 +185,17 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase end def test_should_allow_post_with_token - post :index, :_token => @token + post :index, :authenticity_token => @token assert_response :success end def test_should_allow_put_with_token - put :index, :_token => @token + put :index, :authenticity_token => @token assert_response :success end def test_should_allow_delete_with_token - delete :index, :_token => @token + delete :index, :authenticity_token => @token assert_response :success end diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb index 80b9c773b3..979e436556 100644 --- a/actionpack/test/template/text_helper_test.rb +++ b/actionpack/test/template/text_helper_test.rb @@ -289,7 +289,7 @@ class TextHelperTest < Test::Unit::TestCase assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>} end - ActionView::Base.sanitized_allowed_tags.each do |tag_name| + ActionView::Helpers::TextHelper.sanitized_allowed_tags.each do |tag_name| define_method "test_should_allow_#{tag_name}_tag" do assert_sanitized "start <#{tag_name} title=\"1\" onclick=\"foo\">foo <bad>bar</bad> baz</#{tag_name}> end", %(start <#{tag_name} title="1">foo bar baz</#{tag_name}> end) end @@ -551,11 +551,4 @@ class TextHelperTest < Test::Unit::TestCase def assert_sanitized(text, expected = nil) assert_equal((expected || text), sanitize(text)) end - - # pull in configuration values from ActionView::Base - [:sanitized_protocol_separator, :sanitized_protocol_attributes, :sanitized_bad_tags, :sanitized_allowed_tags, :sanitized_allowed_attributes, :sanitized_allowed_protocols, :sanitized_allowed_css_properties, :sanitized_allowed_css_keywords, :sanitized_shorthand_css_properties, :sanitized_uri_attributes].each do |attr| - define_method attr do - ActionView::Base.send(attr) - end - end end |