aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/request_forgery_protection.rb
Commit message (Collapse)AuthorAgeFilesLines
* Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-3/+65
| | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* Fix protect_from_forgery docsDavid Albert2014-07-271-1/+1
|
* Moved 'params[request_forgery_protection_token]' into its own method and ↵Tom Kadwill2014-05-061-1/+1
| | | | improved tests.
* Make CSRF failure logging optional/configurable.John Barton (joho)2014-03-051-1/+7
| | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default.
* Clearly limit new CSRF protection to GET requestsJeremy Kemper2013-12-171-2/+7
|
* CSRF protection from cross-origin <script> tagsJeremy Kemper2013-12-171-13/+61
| | | | Thanks to @homakov for sounding the alarm about JSONP-style data leaking
* NullSessionHash#destroy should be a no-opJonathan Baudanza2013-09-181-0/+3
| | | | Previously it was raising a NilException
* [ci skip] document protect_against_forgery? methodWeston Platter2013-05-101-0/+1
|
* This cache is not neededSantiago Pastorino2013-02-211-2/+1
|
* Use composition to figure out the forgery protection strategySantiago Pastorino2013-02-211-9/+27
|
* Fix #9168 Initialize NullCookieJar with all options needed for KeyGeneratorAndrey Chernih2013-02-081-1/+1
|
* Merge pull request #9032 from firmhouse/head-breaks-csrfSantiago Pastorino2013-01-281-2/+2
|\ | | | | Make HEAD work / convert to GET once more
| * Added request.head? to forgery protection codeMichiel Sikkes2013-01-221-2/+2
| |
* | Integrate Action Pack with Rack 1.5Carlos Antonio da Silva2013-01-251-3/+4
|/ | | | | | All ActionPack and Railties tests are passing. Closes #8891. [Carlos Antonio da Silva + Santiago Pastorino]
* use `_action` instead of `_filter` callbacksFrancesco Rodriguez2012-12-071-6/+6
|
* Sign cookies using key deriverSantiago Pastorino2012-11-031-4/+4
|
* Multiple changes to 1,9 hash syntaxAvnerCohen2012-10-271-3/+3
|
* Build fix for ActionMailerArun Agrawal2012-09-141-0/+1
| | | | | | See http://travis-ci.org/#!/rails/rails/jobs/2444632
* Implement :null_session CSRF protection methodSergey Nartimov2012-09-131-22/+70
| | | | | | | | It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does).
* load active_support/core_ext/class/attribute in active_support/railsXavier Noria2012-08-021-1/+0
|
* copy editing [ci skip]Vijay Dev2012-06-141-4/+7
|
* on CSRF whitelisting the argument for :if must be a symbolDaniel Lopes2012-06-071-1/+1
|
* fix typos on the CSRF whitelisting docDaniel Lopes2012-06-071-3/+3
|
* Document the CSRF whitelisting on get requestsDaniel Lopes2012-06-071-5/+16
|
* Removing ==Examples and last blank lines of docs from actionpackFrancesco Rodriguez2012-05-151-2/+0
|
* CSRF messages are no longer controlled by 422.html because ↵Tony Primerano2012-03-281-1/+0
| | | | InvalidAuthenticityToken is not raised
* configure how unverified request will be handledSergey Nartimov2012-03-091-2/+18
| | | | | | | | | | | | | can be configured using `:with` option in `protect_from_forgery` method or `request_forgery_protection_method` config option possible values: - :reset_session (default) - :exception new applications are generated with: protect_from_forgery :with => :exception
* removed warning because logger.warn differentiate the waringsKarunakar (Ruby)2012-01-051-1/+1
|
* Change log level for CSRF token verification warningMike Dillon2011-09-101-1/+1
|
* Changed a few instances of of words in the API docs written in British ↵Oemuer Oezkir2011-07-241-1/+1
| | | | | | English to American English(according to Weber)
* TODO fix explicitly loading exceptations, autoload removedVishnu Atrai2011-07-111-0/+1
|
* document handle_unverified_request methodVijay Dev2011-07-021-0/+2
|
* update doc about resetting the session in case of authenticity token mismatchVijay Dev2011-07-011-6/+5
|
* Merge branch 'master' of git://github.com/lifo/docrailsXavier Noria2011-05-251-3/+3
|\ | | | | | | | | | | Conflicts: actionmailer/lib/action_mailer/base.rb activesupport/lib/active_support/core_ext/kernel/requires.rb
| * Remove extra white spaces on ActionPack docs.Sebastian Martinez2011-05-231-3/+3
| |
* | Replace references to ActiveSupport::SecureRandom with just SecureRandom, ↵Jon Leighton2011-05-231-1/+1
|/ | | | and require 'securerandom' from the stdlib when active support is required.
* Warn if we cannot verify CSRF token authenticityJosé Valim2011-05-091-1/+4
|
* Prepend the CSRF filter to make it much more difficult to execute ↵Michael Koziarski2011-02-231-1/+1
| | | | application code before it fires.
* Change the CSRF whitelisting to only apply to get requestsMichael Koziarski2011-02-081-10/+9
| | | | | | | | Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
* Add explicit statement that verify_authenticity_token can be turned off for ↵Ryan Bigg2010-11-271-3/+7
| | | | actions.
* revises implementation and documentation of csrf_meta_tags, and aliases ↵Xavier Noria2010-09-111-2/+2
| | | | csrf_meta_tag to it for backwards compatibilty
* Revert "Setup explicit requires for files with exceptions. Removed them from ↵José Valim2010-09-021-1/+0
| | | | | | | | autoloading." Booting a new Rails application does not work after this commit [#5359 state:open] This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6.
* Setup explicit requires for files with exceptions. Removed them from ↵Łukasz Strzałkowski2010-09-021-0/+1
| | | | | | autoloading. Signed-off-by: José Valim <jose.valim@gmail.com>
* Reflect how CSRF protection now works and refer to the Security Guide for ↵Joost Baaij2010-08-261-36/+18
| | | | more information
* Fix a bunch of minor spelling mistakesEvgeniy Dolzhenko2010-06-111-1/+1
|
* Changes made while working on upgrading cells to Rails 3wycats2010-06-021-0/+1
|
* Clean up the config object in ActionPack. Create config_accessor which just ↵José Valim2010-04-221-74/+44
| | | | delegates to the config object, reducing the number of deprecations and add specific tests.
* ActionController::Base.request_forgery_protection_token should actually be ↵Carl Lerche2010-03-111-1/+1
| | | | the name of the token and not true.
* Move request forgery protection configuration to the AC config objectCarl Lerche2010-03-081-4/+41
| | | | This is an interim solution pending revisiting the rails framework configuration situation.
* Convert to class_attributeJeremy Kemper2010-02-011-2/+4
|
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 13:15:41 +0000