aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack/lib')
-rwxr-xr-xactionpack/lib/action_controller/base.rb5
-rw-r--r--actionpack/lib/action_controller/request_forgery_protection.rb14
-rw-r--r--actionpack/lib/action_view/helpers/form_tag_helper.rb4
-rw-r--r--actionpack/lib/action_view/helpers/prototype_helper.rb2
-rw-r--r--actionpack/lib/action_view/helpers/url_helper.rb4
5 files changed, 20 insertions, 9 deletions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index fd7e9e5244..9ac728e96a 100755
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -328,8 +328,11 @@ module ActionController #:nodoc:
cattr_accessor :resource_action_separator
# Sets the token parameter name for RequestForgery. Calling #protect_from_forgery sets it to :authenticity_token by default
- @@request_forgery_protection_token = nil
cattr_accessor :request_forgery_protection_token
+
+ # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
+ class_inheritable_accessor :allow_forgery_protection
+ self.allow_forgery_protection = true
# Holds the request object that's primarily used to get environment variables through access like
# <tt>request.env["REQUEST_URI"]</tt>.
diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb
index 803782113d..3a7eb789c4 100644
--- a/actionpack/lib/action_controller/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/request_forgery_protection.rb
@@ -8,6 +8,7 @@ module ActionController #:nodoc:
class_inheritable_accessor :request_forgery_protection_options
self.request_forgery_protection_options = {}
helper_method :form_authenticity_token
+ helper_method :protect_against_forgery?
end
base.extend(ClassMethods)
end
@@ -48,6 +49,9 @@ module ActionController #:nodoc:
#
# # uses one of the other session stores that uses a session_id value.
# protect_from_forgery :secret => 'my-little-pony', :except => :index
+ #
+ # # you can disable csrf protection on controller-by-controller basis:
+ # skip_before_filter :verify_authenticity_token
# end
#
# Valid Options:
@@ -75,9 +79,9 @@ module ActionController #:nodoc:
# * is it a GET request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given _token value from the params?
def verified_request?
- request_forgery_protection_token.nil? ||
- request.method == :get ||
- !verifiable_request_format? ||
+ !protect_against_forgery? ||
+ request.method == :get ||
+ !verifiable_request_format? ||
form_authenticity_token == params[request_forgery_protection_token]
end
@@ -110,5 +114,9 @@ module ActionController #:nodoc:
session[:csrf_id] ||= CGI::Session.generate_unique_id
session.dbman.generate_digest(session[:csrf_id])
end
+
+ def protect_against_forgery?
+ allow_forgery_protection && request_forgery_protection_token
+ end
end
end \ No newline at end of file
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index db74df26bf..fdc0d10c6c 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -401,7 +401,7 @@ module ActionView
''
when /^post$/i, "", nil
html_options["method"] = "post"
- request_forgery_protection_token ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : ''
+ protect_against_forgery? ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : ''
else
html_options["method"] = "post"
content_tag(:div, tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag, :style => 'margin:0;padding:0')
@@ -421,7 +421,7 @@ module ActionView
end
def token_tag
- if request_forgery_protection_token.nil?
+ unless protect_against_forgery?
''
else
tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
diff --git a/actionpack/lib/action_view/helpers/prototype_helper.rb b/actionpack/lib/action_view/helpers/prototype_helper.rb
index def33b9ee1..7dcc92a674 100644
--- a/actionpack/lib/action_view/helpers/prototype_helper.rb
+++ b/actionpack/lib/action_view/helpers/prototype_helper.rb
@@ -739,7 +739,7 @@ module ActionView
js_options['parameters'] = options[:with]
end
- if request_forgery_protection_token
+ if protect_against_forgery?
if js_options['parameters']
js_options['parameters'] << " + '&"
else
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 490b2c1215..70d3ddd403 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -203,7 +203,7 @@ module ActionView
form_method = method.to_s == 'get' ? 'get' : 'post'
request_token_tag = ''
- if form_method == 'post' && request_forgery_protection_token
+ if form_method == 'post' && protect_against_forgery?
request_token_tag = tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
end
@@ -477,7 +477,7 @@ module ActionView
submit_function << "m.setAttribute('name', '_method'); m.setAttribute('value', '#{method}'); f.appendChild(m);"
end
- if request_forgery_protection_token
+ if protect_against_forgery?
submit_function << "var s = document.createElement('input'); s.setAttribute('type', 'hidden'); "
submit_function << "s.setAttribute('name', '#{request_forgery_protection_token}'); s.setAttribute('value', '#{escape_javascript form_authenticity_token}'); f.appendChild(s);"
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-08 03:01:26 +0000