Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Prepend the CSRF filter to make it much more difficult to execute ↵ | Michael Koziarski | 2011-02-23 | 1 | -1/+1 |
| | | | | application code before it fires. | ||||
* | Change the CSRF whitelisting to only apply to get requests | Michael Koziarski | 2011-02-08 | 1 | -10/+9 |
| | | | | | | | | Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447 | ||||
* | Add explicit statement that verify_authenticity_token can be turned off for ↵ | Ryan Bigg | 2010-11-27 | 1 | -3/+7 |
| | | | | actions. | ||||
* | revises implementation and documentation of csrf_meta_tags, and aliases ↵ | Xavier Noria | 2010-09-11 | 1 | -2/+2 |
| | | | | csrf_meta_tag to it for backwards compatibilty | ||||
* | Revert "Setup explicit requires for files with exceptions. Removed them from ↵ | José Valim | 2010-09-02 | 1 | -1/+0 |
| | | | | | | | | autoloading." Booting a new Rails application does not work after this commit [#5359 state:open] This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6. | ||||
* | Setup explicit requires for files with exceptions. Removed them from ↵ | Łukasz Strzałkowski | 2010-09-02 | 1 | -0/+1 |
| | | | | | | autoloading. Signed-off-by: José Valim <jose.valim@gmail.com> | ||||
* | Reflect how CSRF protection now works and refer to the Security Guide for ↵ | Joost Baaij | 2010-08-26 | 1 | -36/+18 |
| | | | | more information | ||||
* | Fix a bunch of minor spelling mistakes | Evgeniy Dolzhenko | 2010-06-11 | 1 | -1/+1 |
| | |||||
* | Changes made while working on upgrading cells to Rails 3 | wycats | 2010-06-02 | 1 | -0/+1 |
| | |||||
* | Clean up the config object in ActionPack. Create config_accessor which just ↵ | José Valim | 2010-04-22 | 1 | -74/+44 |
| | | | | delegates to the config object, reducing the number of deprecations and add specific tests. | ||||
* | ActionController::Base.request_forgery_protection_token should actually be ↵ | Carl Lerche | 2010-03-11 | 1 | -1/+1 |
| | | | | the name of the token and not true. | ||||
* | Move request forgery protection configuration to the AC config object | Carl Lerche | 2010-03-08 | 1 | -4/+41 |
| | | | | This is an interim solution pending revisiting the rails framework configuration situation. | ||||
* | Convert to class_attribute | Jeremy Kemper | 2010-02-01 | 1 | -2/+4 |
| | |||||
* | Use extlib_inheritable_accessor in request_forgery_protection.rb. | Carl Lerche | 2009-12-29 | 1 | -1/+1 |
| | | | For some reason the current class_inheritable_accessor does not play nice with included hooks. class_inheritable_accessor will be revised shortly. | ||||
* | Merge Session stuff into RackConvenience | Joshua Peek | 2009-12-20 | 1 | -16/+16 |
| | |||||
* | Extract form_authenticity_param instance method so it's overridable in ↵ | Jeremy Kemper | 2009-11-17 | 1 | -0/+5 |
| | | | | subclasses | ||||
* | Reorganize CSRF a bit | Yehuda Katz | 2009-10-28 | 1 | -33/+23 |
| | |||||
* | Rename /base to /metal and make base.rb and metal.rb top-level to reflect ↵ | Yehuda Katz | 2009-08-06 | 1 | -0/+118 |
their module locations |