aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/request_forgery_protection.rb
Commit message (Collapse)AuthorAgeFilesLines
...
* Sign cookies using key deriverSantiago Pastorino2012-11-031-4/+4
|
* Multiple changes to 1,9 hash syntaxAvnerCohen2012-10-271-3/+3
|
* Build fix for ActionMailerArun Agrawal2012-09-141-0/+1
| | | | | | See http://travis-ci.org/#!/rails/rails/jobs/2444632
* Implement :null_session CSRF protection methodSergey Nartimov2012-09-131-22/+70
| | | | | | | | It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does).
* load active_support/core_ext/class/attribute in active_support/railsXavier Noria2012-08-021-1/+0
|
* copy editing [ci skip]Vijay Dev2012-06-141-4/+7
|
* on CSRF whitelisting the argument for :if must be a symbolDaniel Lopes2012-06-071-1/+1
|
* fix typos on the CSRF whitelisting docDaniel Lopes2012-06-071-3/+3
|
* Document the CSRF whitelisting on get requestsDaniel Lopes2012-06-071-5/+16
|
* Removing ==Examples and last blank lines of docs from actionpackFrancesco Rodriguez2012-05-151-2/+0
|
* CSRF messages are no longer controlled by 422.html because ↵Tony Primerano2012-03-281-1/+0
| | | | InvalidAuthenticityToken is not raised
* configure how unverified request will be handledSergey Nartimov2012-03-091-2/+18
| | | | | | | | | | | | | can be configured using `:with` option in `protect_from_forgery` method or `request_forgery_protection_method` config option possible values: - :reset_session (default) - :exception new applications are generated with: protect_from_forgery :with => :exception
* removed warning because logger.warn differentiate the waringsKarunakar (Ruby)2012-01-051-1/+1
|
* Change log level for CSRF token verification warningMike Dillon2011-09-101-1/+1
|
* Changed a few instances of of words in the API docs written in British ↵Oemuer Oezkir2011-07-241-1/+1
| | | | | | English to American English(according to Weber)
* TODO fix explicitly loading exceptations, autoload removedVishnu Atrai2011-07-111-0/+1
|
* document handle_unverified_request methodVijay Dev2011-07-021-0/+2
|
* update doc about resetting the session in case of authenticity token mismatchVijay Dev2011-07-011-6/+5
|
* Merge branch 'master' of git://github.com/lifo/docrailsXavier Noria2011-05-251-3/+3
|\ | | | | | | | | | | Conflicts: actionmailer/lib/action_mailer/base.rb activesupport/lib/active_support/core_ext/kernel/requires.rb
| * Remove extra white spaces on ActionPack docs.Sebastian Martinez2011-05-231-3/+3
| |
* | Replace references to ActiveSupport::SecureRandom with just SecureRandom, ↵Jon Leighton2011-05-231-1/+1
|/ | | | and require 'securerandom' from the stdlib when active support is required.
* Warn if we cannot verify CSRF token authenticityJosé Valim2011-05-091-1/+4
|
* Prepend the CSRF filter to make it much more difficult to execute ↵Michael Koziarski2011-02-231-1/+1
| | | | application code before it fires.
* Change the CSRF whitelisting to only apply to get requestsMichael Koziarski2011-02-081-10/+9
| | | | | | | | Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
* Add explicit statement that verify_authenticity_token can be turned off for ↵Ryan Bigg2010-11-271-3/+7
| | | | actions.
* revises implementation and documentation of csrf_meta_tags, and aliases ↵Xavier Noria2010-09-111-2/+2
| | | | csrf_meta_tag to it for backwards compatibilty
* Revert "Setup explicit requires for files with exceptions. Removed them from ↵José Valim2010-09-021-1/+0
| | | | | | | | autoloading." Booting a new Rails application does not work after this commit [#5359 state:open] This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6.
* Setup explicit requires for files with exceptions. Removed them from ↵Łukasz Strzałkowski2010-09-021-0/+1
| | | | | | autoloading. Signed-off-by: José Valim <jose.valim@gmail.com>
* Reflect how CSRF protection now works and refer to the Security Guide for ↵Joost Baaij2010-08-261-36/+18
| | | | more information
* Fix a bunch of minor spelling mistakesEvgeniy Dolzhenko2010-06-111-1/+1
|
* Changes made while working on upgrading cells to Rails 3wycats2010-06-021-0/+1
|
* Clean up the config object in ActionPack. Create config_accessor which just ↵José Valim2010-04-221-74/+44
| | | | delegates to the config object, reducing the number of deprecations and add specific tests.
* ActionController::Base.request_forgery_protection_token should actually be ↵Carl Lerche2010-03-111-1/+1
| | | | the name of the token and not true.
* Move request forgery protection configuration to the AC config objectCarl Lerche2010-03-081-4/+41
| | | | This is an interim solution pending revisiting the rails framework configuration situation.
* Convert to class_attributeJeremy Kemper2010-02-011-2/+4
|
* Use extlib_inheritable_accessor in request_forgery_protection.rb.Carl Lerche2009-12-291-1/+1
| | | For some reason the current class_inheritable_accessor does not play nice with included hooks. class_inheritable_accessor will be revised shortly.
* Merge Session stuff into RackConvenienceJoshua Peek2009-12-201-16/+16
|
* Extract form_authenticity_param instance method so it's overridable in ↵Jeremy Kemper2009-11-171-0/+5
| | | | subclasses
* Reorganize CSRF a bitYehuda Katz2009-10-281-33/+23
|
* Rename /base to /metal and make base.rb and metal.rb top-level to reflect ↵Yehuda Katz2009-08-061-0/+118
their module locations
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-09 04:36:41 +0000