From 78de17cf7095af8e86d192af8d8fbe21e6f193d9 Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Thu, 4 Feb 2010 14:15:16 -0800 Subject: Expose CSRF tag for UJS adapters --- .../test/controller/request_forgery_protection_test.rb | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'actionpack/test/controller/request_forgery_protection_test.rb') diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index b2a0e2e2a3..55c21bc84a 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -15,13 +15,17 @@ module RequestForgeryProtectionActions render :text => 'pwn' end + def meta + render :inline => "<%= csrf_meta_tag %>" + end + def rescue_action(e) raise e end end # sample controllers class RequestForgeryProtectionController < ActionController::Base include RequestForgeryProtectionActions - protect_from_forgery :only => :index + protect_from_forgery :only => %w(index meta) end class FreeCookieController < RequestForgeryProtectionController @@ -211,6 +215,11 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase ActiveSupport::SecureRandom.stubs(:base64).returns(@token) ActionController::Base.request_forgery_protection_token = :authenticity_token end + + test 'should emit a csrf-token meta tag' do + get :meta + assert_equal %(), @response.body + end end class FreeCookieControllerTest < ActionController::TestCase @@ -238,6 +247,11 @@ class FreeCookieControllerTest < ActionController::TestCase assert_nothing_raised { send(method, :index)} end end + + test 'should not emit a csrf-token meta tag' do + get :meta + assert @response.body.blank? + end end class CustomAuthenticityParamControllerTest < ActionController::TestCase -- cgit v1.2.3 From 2191aa47acc0a560366c8c09fa9635602cff5f07 Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Thu, 4 Feb 2010 15:26:24 -0800 Subject: Expose CSRF param name also --- actionpack/test/controller/request_forgery_protection_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack/test/controller/request_forgery_protection_test.rb') diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 55c21bc84a..77d07d8eeb 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -218,7 +218,7 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase test 'should emit a csrf-token meta tag' do get :meta - assert_equal %(), @response.body + assert_equal %(\n), @response.body end end -- cgit v1.2.3 From 3062bc70eff68397a00fc652e8eee4ae8089e0a2 Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Thu, 4 Feb 2010 17:45:43 -0800 Subject: HTML-escape csrf meta contents --- actionpack/test/controller/request_forgery_protection_test.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack/test/controller/request_forgery_protection_test.rb') diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 77d07d8eeb..c38ffad748 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -210,7 +210,7 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase @request = ActionController::TestRequest.new @request.format = :html @response = ActionController::TestResponse.new - @token = "cf50faa3fe97702ca1ae" + @token = "cf50faa3fe97702ca1a/=?" ActiveSupport::SecureRandom.stubs(:base64).returns(@token) ActionController::Base.request_forgery_protection_token = :authenticity_token @@ -227,7 +227,7 @@ class FreeCookieControllerTest < ActionController::TestCase @controller = FreeCookieController.new @request = ActionController::TestRequest.new @response = ActionController::TestResponse.new - @token = "cf50faa3fe97702ca1ae" + @token = "cf50faa3fe97702ca1a/=?" ActiveSupport::SecureRandom.stubs(:base64).returns(@token) end -- cgit v1.2.3 From 6bf79f02bede6a75a5211de64a1359b10749a2df Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Thu, 4 Feb 2010 17:49:23 -0800 Subject: Revert dumb test --- actionpack/test/controller/request_forgery_protection_test.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack/test/controller/request_forgery_protection_test.rb') diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index c38ffad748..77d07d8eeb 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -210,7 +210,7 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase @request = ActionController::TestRequest.new @request.format = :html @response = ActionController::TestResponse.new - @token = "cf50faa3fe97702ca1a/=?" + @token = "cf50faa3fe97702ca1ae" ActiveSupport::SecureRandom.stubs(:base64).returns(@token) ActionController::Base.request_forgery_protection_token = :authenticity_token @@ -227,7 +227,7 @@ class FreeCookieControllerTest < ActionController::TestCase @controller = FreeCookieController.new @request = ActionController::TestRequest.new @response = ActionController::TestResponse.new - @token = "cf50faa3fe97702ca1a/=?" + @token = "cf50faa3fe97702ca1ae" ActiveSupport::SecureRandom.stubs(:base64).returns(@token) end -- cgit v1.2.3 From 31f8a59c16d4a29553e2dbf891c891493fd138c0 Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Thu, 4 Feb 2010 18:03:06 -0800 Subject: Test that csrf meta content is html-escaped, too --- actionpack/test/controller/request_forgery_protection_test.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'actionpack/test/controller/request_forgery_protection_test.rb') diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 77d07d8eeb..be05ef6167 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -217,8 +217,9 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase end test 'should emit a csrf-token meta tag' do + ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?') get :meta - assert_equal %(\n), @response.body + assert_equal %(\n), @response.body end end -- cgit v1.2.3