aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--actionpack/CHANGELOG.md5
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb2
-rw-r--r--actionpack/test/controller/request_forgery_protection_test.rb7
3 files changed, 13 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 3b115a7bf7..0345d36760 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+* Non-string authenticity tokens do not raise NoMethodError when decoding
+ the masked token.
+
+ *Ville Lautanala*
+
* ActionController#translate supports symbols as shortcuts.
When shortcut is given it also lookups without action name.
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 7facbe79aa..7a7e2431b2 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -279,7 +279,7 @@ module ActionController #:nodoc:
begin
masked_token = Base64.strict_decode64(encoded_masked_token)
- rescue ArgumentError # encoded_masked_token is invalid Base64
+ rescue ArgumentError, NoMethodError # encoded_masked_token is invalid Base64
return false
end
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 88155bb404..8887f291cf 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -374,6 +374,13 @@ module RequestForgeryProtectionTests
end
end
+ def test_should_not_raise_error_if_token_is_not_a_string
+ @controller.unstub(:valid_authenticity_token?)
+ assert_blocked do
+ patch :index, params: { custom_authenticity_token: { foo: 'bar' } }
+ end
+ end
+
def assert_blocked
session[:something_like_user_id] = 1
yield