diff options
Diffstat (limited to 'actionpack/lib')
5 files changed, 35 insertions, 24 deletions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index d6dd698c6e..bd250af90e 100755 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -327,7 +327,7 @@ module ActionController #:nodoc: @@resource_action_separator = "/" cattr_accessor :resource_action_separator - # Sets the token parameter name for RequestForgery. Calling #verify_token sets it to :_token by default + # Sets the token parameter name for RequestForgery. Calling #protect_from_forgery sets it to :authenticity_token by default @@request_forgery_protection_token = nil cattr_accessor :request_forgery_protection_token diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 9aef1ae833..df84e33050 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -1,43 +1,43 @@ module ActionController #:nodoc: class InvalidToken < ActionControllerError; end - # Protect a controller's actions with the #verify_token method. Failure to validate will result in a ActionController::InvalidToken + # Protect a controller's actions with the #protect_from_forgery method. Failure to validate will result in a ActionController::InvalidToken # exception. Customize the error message through the use of rescue_templates and rescue_action_in_public. # # class FooController < ApplicationController # # uses the cookie session store - # verify_token :except => :index + # protect_from_forgery :except => :index # # # uses one of the other session stores that uses a session_id value. - # verify_token :secret => 'my-little-pony', :except => :index + # protect_from_forgery :secret => 'my-little-pony', :except => :index # end # # Valid Options: # # * <tt>:only/:except</tt> - passed to the before_filter call. Set which actions are verified. - # * <tt>:secret</tt> - Custom salt used to generate the form_token. Leave this off if you are using the cookie session store. + # * <tt>:secret</tt> - Custom salt used to generate the form_authenticity_token. Leave this off if you are using the cookie session store. # * <tt>:digest</tt> - Message digest used for hashing. Defaults to 'SHA1' module RequestForgeryProtection def self.included(base) base.class_eval do - class_inheritable_accessor :verify_token_options - self.verify_token_options = {} - helper_method :form_token + class_inheritable_accessor :request_forgery_protection_options + self.request_forgery_protection_options = {} + helper_method :form_authenticity_token end base.extend(ClassMethods) end module ClassMethods - def verify_token(options = {}) - self.request_forgery_protection_token ||= :_token - before_filter :verify_request_token, :only => options.delete(:only), :except => options.delete(:except) - verify_token_options.update(options) + def protect_from_forgery(options = {}) + self.request_forgery_protection_token ||= :authenticity_token + before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except) + request_forgery_protection_options.update(options) end end protected # The actual before_filter that is used. Modify this to change how you handle unverified requests. - def verify_request_token + def verify_authenticity_token verified_request? || raise(ActionController::InvalidToken) end @@ -45,9 +45,12 @@ module ActionController #:nodoc: # # * is the format restricted? By default, only HTML and AJAX requests are checked. # * is it a GET request? Gets should be safe and idempotent - # * Does the form_token match the given _token value from the params? + # * Does the form_authenticity_token match the given _token value from the params? def verified_request? - request_forgery_protection_token.nil? || request.method == :get || !verifiable_request_format? || form_token == params[request_forgery_protection_token] + request_forgery_protection_token.nil? || + request.method == :get || + !verifiable_request_format? || + form_authenticity_token == params[request_forgery_protection_token] end def verifiable_request_format? @@ -55,19 +58,27 @@ module ActionController #:nodoc: end # Sets the token value for the current session. Pass a :secret option in #verify_token to add a custom salt to the hash. - def form_token - @form_token ||= verify_token_options[:secret] ? token_from_session_id : token_from_cookie_session + def form_authenticity_token + @form_authenticity_token ||= if request_forgery_protection_options[:secret] + authenticity_token_from_session_id + else + authenticity_token_from_cookie_session + end end # Generates a unique digest using the session_id and the CSRF secret. - def token_from_session_id - key = verify_token_options[:secret].respond_to?(:call) ? verify_token_options[:secret].call(@session) : verify_token_options[:secret] - digest = verify_token_options[:digest] || 'SHA1' + def authenticity_token_from_session_id + key = if request_forgery_protection_options[:secret].respond_to?(:call) + request_forgery_protection_options[:secret].call(@session) + else + request_forgery_protection_options[:secret] + end + digest = request_forgery_protection_options[:digest] ||= 'SHA1' OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s) end # No secret was given, so assume this is a cookie session store. - def token_from_cookie_session + def authenticity_token_from_cookie_session session[:csrf_id] ||= CGI::Session.generate_unique_id session.dbman.generate_digest(session[:csrf_id]) end diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb index cb16131cc4..db74df26bf 100644 --- a/actionpack/lib/action_view/helpers/form_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb @@ -424,7 +424,7 @@ module ActionView if request_forgery_protection_token.nil? '' else - tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_token) + tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token) end end end diff --git a/actionpack/lib/action_view/helpers/prototype_helper.rb b/actionpack/lib/action_view/helpers/prototype_helper.rb index df28a0395b..c6669ccde3 100644 --- a/actionpack/lib/action_view/helpers/prototype_helper.rb +++ b/actionpack/lib/action_view/helpers/prototype_helper.rb @@ -745,7 +745,7 @@ module ActionView else js_options['parameters'] = "'" end - js_options['parameters'] << "_token=' + encodeURIComponent('#{escape_javascript form_token}')" + js_options['parameters'] << "#{request_forgery_protection_token}=' + encodeURIComponent('#{escape_javascript form_authenticity_token}')" end options_for_javascript(js_options) diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb index 02c5c40727..96e4fdda48 100644 --- a/actionpack/lib/action_view/helpers/url_helper.rb +++ b/actionpack/lib/action_view/helpers/url_helper.rb @@ -474,7 +474,7 @@ module ActionView if request_forgery_protection_token submit_function << "var s = document.createElement('input'); s.setAttribute('type', 'hidden'); " - submit_function << "s.setAttribute('name', '_token'); s.setAttribute('value', '#{escape_javascript form_token}'); f.appendChild(s);" + submit_function << "s.setAttribute('name', '#{request_forgery_protection_token}'); s.setAttribute('value', '#{escape_javascript form_authenticity_token}'); f.appendChild(s);" end submit_function << "f.submit();" end |