Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | CSRF messages are no longer controlled by 422.html because ↵ | Tony Primerano | 2012-03-28 | 1 | -1/+0 | |
| | | | | InvalidAuthenticityToken is not raised | |||||
* | configure how unverified request will be handled | Sergey Nartimov | 2012-03-09 | 1 | -2/+18 | |
| | | | | | | | | | | | | | can be configured using `:with` option in `protect_from_forgery` method or `request_forgery_protection_method` config option possible values: - :reset_session (default) - :exception new applications are generated with: protect_from_forgery :with => :exception | |||||
* | removed warning because logger.warn differentiate the warings | Karunakar (Ruby) | 2012-01-05 | 1 | -1/+1 | |
| | ||||||
* | Change log level for CSRF token verification warning | Mike Dillon | 2011-09-10 | 1 | -1/+1 | |
| | ||||||
* | Changed a few instances of of words in the API docs written in British ↵ | Oemuer Oezkir | 2011-07-24 | 1 | -1/+1 | |
| | | | | | | English to American English(according to Weber) | |||||
* | TODO fix explicitly loading exceptations, autoload removed | Vishnu Atrai | 2011-07-11 | 1 | -0/+1 | |
| | ||||||
* | document handle_unverified_request method | Vijay Dev | 2011-07-02 | 1 | -0/+2 | |
| | ||||||
* | update doc about resetting the session in case of authenticity token mismatch | Vijay Dev | 2011-07-01 | 1 | -6/+5 | |
| | ||||||
* | Merge branch 'master' of git://github.com/lifo/docrails | Xavier Noria | 2011-05-25 | 1 | -3/+3 | |
|\ | | | | | | | | | | | Conflicts: actionmailer/lib/action_mailer/base.rb activesupport/lib/active_support/core_ext/kernel/requires.rb | |||||
| * | Remove extra white spaces on ActionPack docs. | Sebastian Martinez | 2011-05-23 | 1 | -3/+3 | |
| | | ||||||
* | | Replace references to ActiveSupport::SecureRandom with just SecureRandom, ↵ | Jon Leighton | 2011-05-23 | 1 | -1/+1 | |
|/ | | | | and require 'securerandom' from the stdlib when active support is required. | |||||
* | Warn if we cannot verify CSRF token authenticity | José Valim | 2011-05-09 | 1 | -1/+4 | |
| | ||||||
* | Prepend the CSRF filter to make it much more difficult to execute ↵ | Michael Koziarski | 2011-02-23 | 1 | -1/+1 | |
| | | | | application code before it fires. | |||||
* | Change the CSRF whitelisting to only apply to get requests | Michael Koziarski | 2011-02-08 | 1 | -10/+9 | |
| | | | | | | | | Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447 | |||||
* | Add explicit statement that verify_authenticity_token can be turned off for ↵ | Ryan Bigg | 2010-11-27 | 1 | -3/+7 | |
| | | | | actions. | |||||
* | revises implementation and documentation of csrf_meta_tags, and aliases ↵ | Xavier Noria | 2010-09-11 | 1 | -2/+2 | |
| | | | | csrf_meta_tag to it for backwards compatibilty | |||||
* | Revert "Setup explicit requires for files with exceptions. Removed them from ↵ | José Valim | 2010-09-02 | 1 | -1/+0 | |
| | | | | | | | | autoloading." Booting a new Rails application does not work after this commit [#5359 state:open] This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6. | |||||
* | Setup explicit requires for files with exceptions. Removed them from ↵ | Łukasz Strzałkowski | 2010-09-02 | 1 | -0/+1 | |
| | | | | | | autoloading. Signed-off-by: José Valim <jose.valim@gmail.com> | |||||
* | Reflect how CSRF protection now works and refer to the Security Guide for ↵ | Joost Baaij | 2010-08-26 | 1 | -36/+18 | |
| | | | | more information | |||||
* | Fix a bunch of minor spelling mistakes | Evgeniy Dolzhenko | 2010-06-11 | 1 | -1/+1 | |
| | ||||||
* | Changes made while working on upgrading cells to Rails 3 | wycats | 2010-06-02 | 1 | -0/+1 | |
| | ||||||
* | Clean up the config object in ActionPack. Create config_accessor which just ↵ | José Valim | 2010-04-22 | 1 | -74/+44 | |
| | | | | delegates to the config object, reducing the number of deprecations and add specific tests. | |||||
* | ActionController::Base.request_forgery_protection_token should actually be ↵ | Carl Lerche | 2010-03-11 | 1 | -1/+1 | |
| | | | | the name of the token and not true. | |||||
* | Move request forgery protection configuration to the AC config object | Carl Lerche | 2010-03-08 | 1 | -4/+41 | |
| | | | | This is an interim solution pending revisiting the rails framework configuration situation. | |||||
* | Convert to class_attribute | Jeremy Kemper | 2010-02-01 | 1 | -2/+4 | |
| | ||||||
* | Use extlib_inheritable_accessor in request_forgery_protection.rb. | Carl Lerche | 2009-12-29 | 1 | -1/+1 | |
| | | | For some reason the current class_inheritable_accessor does not play nice with included hooks. class_inheritable_accessor will be revised shortly. | |||||
* | Merge Session stuff into RackConvenience | Joshua Peek | 2009-12-20 | 1 | -16/+16 | |
| | ||||||
* | Extract form_authenticity_param instance method so it's overridable in ↵ | Jeremy Kemper | 2009-11-17 | 1 | -0/+5 | |
| | | | | subclasses | |||||
* | Reorganize CSRF a bit | Yehuda Katz | 2009-10-28 | 1 | -33/+23 | |
| | ||||||
* | Rename /base to /metal and make base.rb and metal.rb top-level to reflect ↵ | Yehuda Katz | 2009-08-06 | 1 | -0/+118 | |
their module locations |