| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946.
The :null_session CSRF protection method provide an empty session during
request processing but doesn't reset it completely (as :reset_session
does).
|
| |
|
|
|
|
|
| |
If embedding auth_token in remote forms is off and we
pass a value for auth_token it should respect it.
|
|
|
|
|
|
|
| |
Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms`
to `false`. This change breaks remote forms that need to work also without javascript,
so if you need such behavior, you can either set it to `true` or explicitly pass
`:authenticity_token => true` in form options
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a regression introduced in 16ee611fa, which breaks
remote forms that should also work without javascript. This commit
introduces config option that allows to configure this behavior
defaulting to the old behavior (ie. include authenticity token
in remote forms by default)
Conflicts:
actionpack/CHANGELOG.md
|
| |
|
|
|
|
| |
forms if you pass true
|
|
|
|
| |
forms use the meta-tag value
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
can be configured using `:with` option in `protect_from_forgery` method
or `request_forgery_protection_method` config option
possible values:
- :reset_session (default)
- :exception
new applications are generated with:
protect_from_forgery :with => :exception
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PATCH is the correct HTML verb to map to the #update action. The
semantics for PATCH allows for partial updates, whereas PUT requires a
complete replacement.
Changes:
* adds config.default_method_for_update you can set to :patch
* optionally use PATCH instead of PUT in resource routes and forms
* adds the #patch verb to routes to detect PATCH requests
* adds #patch? to Request
* changes documentation and comments to indicate support for PATCH
This change maintains complete backwards compatibility by keeping :put
as the default for config.default_method_for_update.
|
|
|
|
|
| |
These requires were added in a87b92d and the implementation changed in
2cdc1f0, removing the need for them.
|
| |
|
| |
|
| |
|
|
|
|
| |
and require 'securerandom' from the stdlib when active support is required.
|
| |
|
|
|
|
| |
Improved formatting of csrf_helper and improved test coverage
|
|
|
|
|
|
|
|
| |
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
X-CSRF-Token: ...
This fixes CVE-2011-0447
|
|
|
|
|
|
| |
[#6228 state:committed]
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
|
|
|
|
|
|
|
| |
for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers.
[#6228 state:committed]
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
| |
|
| |
|
|
|
|
| |
printed material, chomp also the generated HTML to be faithful to the output before the refactor
|
|
|
|
| |
csrf_meta_tag to it for backwards compatibilty
|
|
|
|
| |
better default failure messages - let's use them
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
subclasses
|
|
|
|
| |
ActionController::Routing::Routes directly
|
| |
|
|
|
|
| |
[#1617 state:resolved]
|
|
|
|
| |
This deprecates the use of :secret and :digest which were only needed when we were hashing session ids.
|
|\ |
|
| |
| |
| |
| |
| |
| | |
content requests.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
|
|/ |
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The session is used by the form_authenticity_token method before it is
tested to be valid. This patch moves a few lines around so that the
session is validated first.
Without this patch, if you try to use forgery protection with sessions
turned off, you get this exception message:
undefined method `session_id' for {}:Hash
The patch includes a test that can be used to see this behavior before
the request_forgery_protection.rb file is patched to fix it.
|
| |
| |
| |
| | |
Mime::Type#verify_request? [#73]
|
|/
|
|
| |
request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved]
|
|
|
|
|
|
| |
form, prevents duplicate tokens. Closes #10684 [macournoyer]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
| |
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
| |
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
|
|
| |
forgery protection. Closes #9670 [rick]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
| |
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
|
|
| |
by default. Closes #9693 [lifofifo]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|