Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Replace references to ActiveSupport::SecureRandom with just SecureRandom, ↵ | Jon Leighton | 2011-05-23 | 1 | -3/+3 |
| | | | | and require 'securerandom' from the stdlib when active support is required. | ||||
* | Test csrf token param name customization | David Lee | 2011-05-10 | 1 | -7/+18 |
| | |||||
* | Make csrf_meta_tags use the tag helper | James Robinson | 2011-04-08 | 1 | -5/+3 |
| | | | | Improved formatting of csrf_helper and improved test coverage | ||||
* | Change the CSRF whitelisting to only apply to get requests | Michael Koziarski | 2011-02-08 | 1 | -136/+75 |
| | | | | | | | | Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447 | ||||
* | put authenticity_token option in parity w/ remote | Dan Pickett | 2011-02-06 | 1 | -2/+2 |
| | | | | | | [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com> | ||||
* | Added tests for form_for and an authenticity_token option. Added docs for ↵ | Timothy N. Tsvetkov | 2011-02-05 | 1 | -0/+18 |
| | | | | | | | | for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com> | ||||
* | authenticity_token option for form_tag [#2988 state:resolved] | Jakub Kuźma | 2011-01-09 | 1 | -0/+18 |
| | |||||
* | Fix indentation. | Emilio Tagua | 2010-09-27 | 1 | -19/+18 |
| | |||||
* | get csrf_meta_tag back to the generated layout in deference to existing ↵ | Xavier Noria | 2010-09-14 | 1 | -1/+1 |
| | | | | printed material, chomp also the generated HTML to be faithful to the output before the refactor | ||||
* | revises implementation and documentation of csrf_meta_tags, and aliases ↵ | Xavier Noria | 2010-09-11 | 1 | -2/+6 |
| | | | | csrf_meta_tag to it for backwards compatibilty | ||||
* | code gardening: we have assert_(nil|blank|present), more concise, with ↵ | Xavier Noria | 2010-08-17 | 1 | -1/+1 |
| | | | | better default failure messages - let's use them | ||||
* | Test that csrf meta content is html-escaped, too | Jeremy Kemper | 2010-02-04 | 1 | -1/+2 |
| | |||||
* | Revert dumb test | Jeremy Kemper | 2010-02-04 | 1 | -2/+2 |
| | |||||
* | HTML-escape csrf meta contents | Jeremy Kemper | 2010-02-04 | 1 | -2/+2 |
| | |||||
* | Expose CSRF param name also | Jeremy Kemper | 2010-02-04 | 1 | -1/+1 |
| | |||||
* | Expose CSRF tag for UJS adapters | Jeremy Kemper | 2010-02-04 | 1 | -1/+15 |
| | |||||
* | Move form_remote_tag and remote_form_for into prototype_legacy_helper | Joshua Peek | 2010-01-30 | 1 | -27/+18 |
| | |||||
* | Fix test bleed | Jeremy Kemper | 2009-11-18 | 1 | -1/+1 |
| | |||||
* | Extract form_authenticity_param instance method so it's overridable in ↵ | Jeremy Kemper | 2009-11-17 | 1 | -1/+19 |
| | | | | subclasses | ||||
* | Cleanup route reloading in tests. Prefer with_routing over using ↵ | Joshua Peek | 2009-08-16 | 1 | -5/+1 |
| | | | | ActionController::Routing::Routes directly | ||||
* | Don't check authenticity tokens for any AJAX requests | Ross Kaffenburger and Bryan Helmkamp | 2009-04-15 | 1 | -5/+6 |
| | |||||
* | Ruby 1.9 compat: rename deprecated assert_raises to assert_raise. | Jeremy Kemper | 2009-03-08 | 1 | -9/+9 |
| | | | | [#1617 state:resolved] | ||||
* | Change the forgery token implementation to just be a simple random string. | Michael Koziarski | 2008-11-23 | 1 | -87/+6 |
| | | | | This deprecates the use of :secret and :digest which were only needed when we were hashing session ids. | ||||
* | Merge branch 'master' into testing | Jeremy Kemper | 2008-11-15 | 1 | -52/+66 |
|\ | |||||
| * | Changed request forgery protection to only worry about HTML-formatted ↵ | Jeff Cohen | 2008-11-13 | 1 | -52/+66 |
| | | | | | | | | | | | | content requests. Signed-off-by: Michael Koziarski <michael@koziarski.com> | ||||
* | | Move controller assertions from base TestCase to AC:: and AV::TestCase | Jeremy Kemper | 2008-11-07 | 1 | -5/+5 |
|/ | |||||
* | Merge branch 'master' of git@github.com:rails/rails | rick | 2008-05-13 | 1 | -0/+24 |
|\ | |||||
| * | Bug: Earlier Check for Session in Forgery Protection | Peter Jones | 2008-05-11 | 1 | -0/+24 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The session is used by the form_authenticity_token method before it is tested to be valid. This patch moves a few lines around so that the session is validated first. Without this patch, if you try to use forgery protection with sessions turned off, you get this exception message: undefined method `session_id' for {}:Hash The patch includes a test that can be used to see this behavior before the request_forgery_protection.rb file is patched to fix it. | ||||
* | | change ActionController::RequestForgeryProtection to use ↵ | rick | 2008-05-06 | 1 | -3/+45 |
| | | | | | | | | Mime::Type#verify_request? [#73] | ||||
* | | Change the request forgery protection to go by Content-Type instead of ↵ | rick | 2008-05-06 | 1 | -4/+25 |
|/ | | | | request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved] | ||||
* | Don't append the forgery token to an ajax request if it's serializing a ↵ | Michael Koziarski | 2008-01-08 | 1 | -0/+9 |
| | | | | | | form, prevents duplicate tokens. Closes #10684 [macournoyer] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | require abstract_unit directly since test is in load path | Jeremy Kemper | 2008-01-05 | 1 | -1/+1 |
| | | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Ruby 1.9 compat, consistent load paths | Jeremy Kemper | 2007-10-02 | 1 | -1/+1 |
| | | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Better error messages if you leave out the :secret option for request ↵ | Rick Olson | 2007-09-28 | 1 | -45/+74 |
| | | | | | | forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Add missing require | Michael Koziarski | 2007-09-28 | 1 | -0/+1 |
| | | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Allow ability to disable request forgery protection, disable it in test mode ↵ | Rick Olson | 2007-09-28 | 1 | -0/+38 |
| | | | | | | by default. Closes #9693 [lifofifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Protect button_to behind protect_from_forgery (closes #9675) [lifo] | David Heinemeier Hansson | 2007-09-25 | 1 | -106/+38 |
| | | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Change from InvalidToken to InvalidAuthenticityToken to be more specific | David Heinemeier Hansson | 2007-09-24 | 1 | -12/+12 |
| | | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7623 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Rename some RequestForgeryProtection methods. The class method is now ↵ | Rick Olson | 2007-09-23 | 1 | -12/+12 |
| | | | | | | #protect_from_forgery, and the default parameter is now 'authenticity_token'. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7596 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model ↵ | Rick Olson | 2007-09-23 | 1 | -0/+217 |
that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de |