Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Use AS secure_compare for CSRF token comparison | Guillermo Iguaran | 2014-10-23 | 1 | -2/+2 |
| | |||||
* | Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-token | Jeremy Kemper | 2014-08-19 | 1 | -3/+65 |
|\ | | | | | CSRF token mask from breach-mitigation-rails gem | ||||
| * | Auth token mask from breach-mitigation-rails gem | Bradley Buda | 2014-08-19 | 1 | -3/+65 |
| | | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks. | ||||
* | | Uppercase HTML in docs. | Hendy Tanata | 2014-08-08 | 1 | -2/+2 |
|/ | | | | [skip ci] | ||||
* | Fix protect_from_forgery docs | David Albert | 2014-07-27 | 1 | -1/+1 |
| | |||||
* | Moved 'params[request_forgery_protection_token]' into its own method and ↵ | Tom Kadwill | 2014-05-06 | 1 | -1/+1 |
| | | | | improved tests. | ||||
* | Make CSRF failure logging optional/configurable. | John Barton (joho) | 2014-03-05 | 1 | -1/+7 |
| | | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default. | ||||
* | Clearly limit new CSRF protection to GET requests | Jeremy Kemper | 2013-12-17 | 1 | -2/+7 |
| | |||||
* | CSRF protection from cross-origin <script> tags | Jeremy Kemper | 2013-12-17 | 1 | -13/+61 |
| | | | | Thanks to @homakov for sounding the alarm about JSONP-style data leaking | ||||
* | NullSessionHash#destroy should be a no-op | Jonathan Baudanza | 2013-09-18 | 1 | -0/+3 |
| | | | | Previously it was raising a NilException | ||||
* | [ci skip] document protect_against_forgery? method | Weston Platter | 2013-05-10 | 1 | -0/+1 |
| | |||||
* | This cache is not needed | Santiago Pastorino | 2013-02-21 | 1 | -2/+1 |
| | |||||
* | Use composition to figure out the forgery protection strategy | Santiago Pastorino | 2013-02-21 | 1 | -9/+27 |
| | |||||
* | Fix #9168 Initialize NullCookieJar with all options needed for KeyGenerator | Andrey Chernih | 2013-02-08 | 1 | -1/+1 |
| | |||||
* | Merge pull request #9032 from firmhouse/head-breaks-csrf | Santiago Pastorino | 2013-01-28 | 1 | -2/+2 |
|\ | | | | | Make HEAD work / convert to GET once more | ||||
| * | Added request.head? to forgery protection code | Michiel Sikkes | 2013-01-22 | 1 | -2/+2 |
| | | |||||
* | | Integrate Action Pack with Rack 1.5 | Carlos Antonio da Silva | 2013-01-25 | 1 | -3/+4 |
|/ | | | | | | All ActionPack and Railties tests are passing. Closes #8891. [Carlos Antonio da Silva + Santiago Pastorino] | ||||
* | use `_action` instead of `_filter` callbacks | Francesco Rodriguez | 2012-12-07 | 1 | -6/+6 |
| | |||||
* | Sign cookies using key deriver | Santiago Pastorino | 2012-11-03 | 1 | -4/+4 |
| | |||||
* | Multiple changes to 1,9 hash syntax | AvnerCohen | 2012-10-27 | 1 | -3/+3 |
| | |||||
* | Build fix for ActionMailer | Arun Agrawal | 2012-09-14 | 1 | -0/+1 |
| | | | | | | See http://travis-ci.org/#!/rails/rails/jobs/2444632 | ||||
* | Implement :null_session CSRF protection method | Sergey Nartimov | 2012-09-13 | 1 | -22/+70 |
| | | | | | | | | It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does). | ||||
* | load active_support/core_ext/class/attribute in active_support/rails | Xavier Noria | 2012-08-02 | 1 | -1/+0 |
| | |||||
* | copy editing [ci skip] | Vijay Dev | 2012-06-14 | 1 | -4/+7 |
| | |||||
* | on CSRF whitelisting the argument for :if must be a symbol | Daniel Lopes | 2012-06-07 | 1 | -1/+1 |
| | |||||
* | fix typos on the CSRF whitelisting doc | Daniel Lopes | 2012-06-07 | 1 | -3/+3 |
| | |||||
* | Document the CSRF whitelisting on get requests | Daniel Lopes | 2012-06-07 | 1 | -5/+16 |
| | |||||
* | Removing ==Examples and last blank lines of docs from actionpack | Francesco Rodriguez | 2012-05-15 | 1 | -2/+0 |
| | |||||
* | CSRF messages are no longer controlled by 422.html because ↵ | Tony Primerano | 2012-03-28 | 1 | -1/+0 |
| | | | | InvalidAuthenticityToken is not raised | ||||
* | configure how unverified request will be handled | Sergey Nartimov | 2012-03-09 | 1 | -2/+18 |
| | | | | | | | | | | | | | can be configured using `:with` option in `protect_from_forgery` method or `request_forgery_protection_method` config option possible values: - :reset_session (default) - :exception new applications are generated with: protect_from_forgery :with => :exception | ||||
* | removed warning because logger.warn differentiate the warings | Karunakar (Ruby) | 2012-01-05 | 1 | -1/+1 |
| | |||||
* | Change log level for CSRF token verification warning | Mike Dillon | 2011-09-10 | 1 | -1/+1 |
| | |||||
* | Changed a few instances of of words in the API docs written in British ↵ | Oemuer Oezkir | 2011-07-24 | 1 | -1/+1 |
| | | | | | | English to American English(according to Weber) | ||||
* | TODO fix explicitly loading exceptations, autoload removed | Vishnu Atrai | 2011-07-11 | 1 | -0/+1 |
| | |||||
* | document handle_unverified_request method | Vijay Dev | 2011-07-02 | 1 | -0/+2 |
| | |||||
* | update doc about resetting the session in case of authenticity token mismatch | Vijay Dev | 2011-07-01 | 1 | -6/+5 |
| | |||||
* | Merge branch 'master' of git://github.com/lifo/docrails | Xavier Noria | 2011-05-25 | 1 | -3/+3 |
|\ | | | | | | | | | | | Conflicts: actionmailer/lib/action_mailer/base.rb activesupport/lib/active_support/core_ext/kernel/requires.rb | ||||
| * | Remove extra white spaces on ActionPack docs. | Sebastian Martinez | 2011-05-23 | 1 | -3/+3 |
| | | |||||
* | | Replace references to ActiveSupport::SecureRandom with just SecureRandom, ↵ | Jon Leighton | 2011-05-23 | 1 | -1/+1 |
|/ | | | | and require 'securerandom' from the stdlib when active support is required. | ||||
* | Warn if we cannot verify CSRF token authenticity | José Valim | 2011-05-09 | 1 | -1/+4 |
| | |||||
* | Prepend the CSRF filter to make it much more difficult to execute ↵ | Michael Koziarski | 2011-02-23 | 1 | -1/+1 |
| | | | | application code before it fires. | ||||
* | Change the CSRF whitelisting to only apply to get requests | Michael Koziarski | 2011-02-08 | 1 | -10/+9 |
| | | | | | | | | Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447 | ||||
* | Add explicit statement that verify_authenticity_token can be turned off for ↵ | Ryan Bigg | 2010-11-27 | 1 | -3/+7 |
| | | | | actions. | ||||
* | revises implementation and documentation of csrf_meta_tags, and aliases ↵ | Xavier Noria | 2010-09-11 | 1 | -2/+2 |
| | | | | csrf_meta_tag to it for backwards compatibilty | ||||
* | Revert "Setup explicit requires for files with exceptions. Removed them from ↵ | José Valim | 2010-09-02 | 1 | -1/+0 |
| | | | | | | | | autoloading." Booting a new Rails application does not work after this commit [#5359 state:open] This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6. | ||||
* | Setup explicit requires for files with exceptions. Removed them from ↵ | Łukasz Strzałkowski | 2010-09-02 | 1 | -0/+1 |
| | | | | | | autoloading. Signed-off-by: José Valim <jose.valim@gmail.com> | ||||
* | Reflect how CSRF protection now works and refer to the Security Guide for ↵ | Joost Baaij | 2010-08-26 | 1 | -36/+18 |
| | | | | more information | ||||
* | Fix a bunch of minor spelling mistakes | Evgeniy Dolzhenko | 2010-06-11 | 1 | -1/+1 |
| | |||||
* | Changes made while working on upgrading cells to Rails 3 | wycats | 2010-06-02 | 1 | -0/+1 |
| | |||||
* | Clean up the config object in ActionPack. Create config_accessor which just ↵ | José Valim | 2010-04-22 | 1 | -74/+44 |
| | | | | delegates to the config object, reducing the number of deprecations and add specific tests. |