Changeset 7592

Timestamp:

09/23/07 02:32:55 (8 months ago)

Author:

rick

Message:

Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick]

Files:

• trunk/actionpack/CHANGELOG (modified) (1 diff)
• trunk/actionpack/lib/action_controller.rb (modified) (2 diffs)
• trunk/actionpack/lib/action_controller/base.rb (modified) (1 diff)
• trunk/actionpack/lib/action_controller/request_forgery_protection.rb (added)
• trunk/actionpack/lib/action_controller/rescue.rb (modified) (1 diff)
• trunk/actionpack/lib/action_view/base.rb (modified) (1 diff)
• trunk/actionpack/lib/action_view/helpers/form_tag_helper.rb (modified) (2 diffs)
• trunk/actionpack/lib/action_view/helpers/prototype_helper.rb (modified) (1 diff)
• trunk/actionpack/lib/action_view/helpers/text_helper.rb (modified) (4 diffs)
• trunk/actionpack/lib/action_view/helpers/url_helper.rb (modified) (1 diff)
• trunk/actionpack/test/controller/request_forgery_protection_test.rb (added)
• trunk/actionpack/test/template/form_helper_test.rb (modified) (1 diff)
• trunk/actionpack/test/template/form_tag_helper_test.rb (modified) (1 diff)
• trunk/actionpack/test/template/prototype_helper_test.rb (modified) (1 diff)
• trunk/actionpack/test/template/scriptaculous_helper_test.rb (modified) (1 diff)
• trunk/actionpack/test/template/url_helper_test.rb (modified) (1 diff)

trunk/actionpack/CHANGELOG

@@ -1 +1 @@
-*SVN*
+
+* Merge csrf_killer plugin into rails.  Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests.  [Rick]
-
-* Secure #sanitize, #strip_tags, and #strip_links helpers against xss attacks.  Closes #8877. [Rick, lifofifo, Jacques Distler]

trunk/actionpack/lib/action_controller.rb

@@ -55 +55 @@
-require 'action_controller/components'
-require 'action_controller/record_identifier'
+require 'action_controller/request_forgery_protection'
-
-require 'action_view'
@@ -75 +76 @@
-  include ActionController::Components
-  include ActionController::RecordIdentifier
+  include ActionController::RequestForgeryProtection
-end

trunk/actionpack/lib/action_controller/base.rb

@@ -327 +327 @@
-    @@resource_action_separator = "/"
-    cattr_accessor :resource_action_separator
+    
+    # Sets the token parameter name for RequestForgery.  Calling #verify_token sets it to :_token by default
+    @@request_forgery_protection_token = nil
+    cattr_accessor :request_forgery_protection_token
-
-    # Holds the request object that's primarily used to get environment variables through access like

trunk/actionpack/lib/action_controller/rescue.rb

@@ -21 +21 @@
-      'ActiveRecord::RecordNotSaved'       => :unprocessable_entity,
-      'ActionController::MethodNotAllowed' => :method_not_allowed,
-
+
+
-    }
-

trunk/actionpack/lib/action_view/base.rb

@@ -329 +329 @@
-    end
-
+    delegate :request_forgery_protection_token, :to => :controller
+
-    @@template_handlers = HashWithIndifferentAccess.new
- 

trunk/actionpack/lib/action_view/helpers/form_tag_helper.rb

@@ -402 +402 @@
-            when /^post$/i, "", nil
-              html_options["method"] = "post"
-
+request_forgery_protection_token ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : 
-            else
-              html_options["method"] = "post"
-
+ + token_tag
-          end
-        end
@@ -420 +420 @@
-          concat("</form>", block.binding)
-        end
+
+        def token_tag
+          if request_forgery_protection_token.nil?
+            ''
+          else
+            tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_token)
+          end
+        end
-    end
-  end

trunk/actionpack/lib/action_view/helpers/prototype_helper.rb

@@ -739 +739 @@
-          js_options['parameters'] = options[:with]
-        end
+        
+        if request_forgery_protection_token
+          if js_options['parameters']
+            js_options['parameters'] << " + '&"
+          else
+            js_options['parameters'] = "'"
+          end
+          js_options['parameters'] << "_token=' + encodeURIComponent('#{escape_javascript form_token}')"
+        end
-      
-        options_for_javascript(js_options)

trunk/actionpack/lib/action_view/helpers/text_helper.rb

@@ -326 +326 @@
-      #   # => Blog: Visit
-      def strip_links(html)
-# Stupid firefox treats '<href="http://whatever.com" onClick="alert()">something' as link! 
-if html.index("<a") || html.index("<href")   
-tokenizer = HTML::Tokenizer.new(html) 
-result = ''
-while token = tokenizer.next
-node = HTML::Node.parse(nil, 0, 0, token, fals
-result << node.to_s unless node.is_a?(HTML::Tag) && ["a", "href"].include?(node.name)
- 
-
+if !html.blank? && html.index("<a") || html.index("<href")
+  tokenizer = HTML::Tokenizer.new(html)
+result = returning [] do |result|
+  while token = tokenizer.next 
+    node = HTML::Node.parse(nil, 0, 0, token, false)
+  result << node.to_s unless node.is_a?(HTML::Tag) && ["a", "href"].include?(node.nam
+end
+
+.join
-        else
-          html
@@ -442 +442 @@
-      #
-      # ==== Examples
+      #
-      #   strip_tags("Strip <i>these</i> tags!")
-      #   # => Strip these tags!
@@ -451 +452 @@
-      #   # => Welcome to my website!
-      def strip_tags(html)     
-
-
-
-
-
+
+
+
+
-          while token = tokenizer.next
-            node = HTML::Node.parse(nil, 0, 0, token, false)
@@ -461 +461 @@
-            text << node.to_s if node.class == HTML::Text  
-          end
-  # strip any comments, and if they have a newline at the end (ie. line with
-  # only a comment) strip that too
-  strip_tags(text.gsub(/<!--(.*?)-->[\n]?/m, "")) # Recurse - handle all dirty nested tags
-else
-  html # already plain text
-end 
+end
+
+# strip any comments, and if they have a newline at the end (ie. line with
+# only a comment) strip that too
+# Recurse - handle all dirty nested tags
+strip_tags(text.join.gsub(/<!--(.*?)-->[\n]?/m, ""))
-      end
-      

trunk/actionpack/lib/action_view/helpers/url_helper.rb

@@ -473 +473 @@
-          end
-
+          if request_forgery_protection_token
+            submit_function << "var s = document.createElement('input'); s.setAttribute('type', 'hidden'); "
+            submit_function << "s.setAttribute('name', '_token'); s.setAttribute('value', '#{escape_javascript form_token}'); f.appendChild(s);"
+          end
-          submit_function << "f.submit();"
-        end

trunk/actionpack/test/template/form_helper_test.rb

@@ -712 +712 @@
-      "/posts/#{post.id}"
-    end
+    
+    def request_forgery_protection_token
+      nil
+    end
-end

trunk/actionpack/test/template/form_tag_helper_test.rb

@@ -178 +178 @@
-    assert_dom_equal expected, _erbout
-  end
+  
+  def request_forgery_protection_token
+    nil
+    
+  end
-end

trunk/actionpack/test/template/prototype_helper_test.rb

@@ -61 +61 @@
-
-protected
+  
+  def request_forgery_protection_token
+    nil
+  end
+  
-  def create_generator
-    block = Proc.new { |*args| yield *args if block_given? } 

trunk/actionpack/test/template/scriptaculous_helper_test.rb

@@ -90 +90 @@
-      drop_receiving_element("droptarget1", :accept => ['tshirts','mugs'], :update => 'infobox')
-  end
+  
+  def request_forgery_protection_token
+    nil
+  end
-end

trunk/actionpack/test/template/url_helper_test.rb

@@ -268 +268 @@
-    assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
-  end
+  
+  def request_forgery_protection_token
+    nil
+  end
-end
-