Changeset 7623
- Timestamp:
- 09/24/07 23:12:25 (1 year ago)
- Files:
-
- trunk/actionpack/lib/action_controller/request_forgery_protection.rb (modified) (5 diffs)
- trunk/actionpack/lib/action_controller/rescue.rb (modified) (1 diff)
- trunk/actionpack/test/controller/request_forgery_protection_test.rb (modified) (2 diffs)
- trunk/railties/CHANGELOG (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/actionpack/lib/action_controller/request_forgery_protection.rb
r7614 r7623 1 1 module ActionController #:nodoc: 2 class InvalidToken < ActionControllerError; end 2 class InvalidAuthenticityToken < ActionControllerError #:nodoc: 3 end 3 4 4 5 module RequestForgeryProtection … … 19 20 # scheme there anyway). Also, GET requests are not protected as these should be indempotent anyway. 20 21 # 21 # You turn this on with the #protect_from_forgery method, which will perform the check and raise an ActionController::InvalidToken if 22 # the token doesn't match what was expected. And it will add a _token parameter to all forms that are automatically generated 23 # by Rails. You can customize the error message given through public/422.html. 22 # You turn this on with the #protect_from_forgery method, which will perform the check and raise 23 # an ActionController::InvalidAuthenticityToken if the token doesn't match what was expected. And it will add 24 # a _authenticity_token parameter to all forms that are automatically generated by Rails. You can customize the error message 25 # given through public/422.html. 24 26 # 25 27 # Learn more about CSRF (Cross-Site Request Forgery) attacks: … … 28 30 # * http://en.wikipedia.org/wiki/Cross-site_request_forgery 29 31 # 30 # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application. There are a few guidelines you31 # should follow:32 # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application. 33 # There are a few guidelines you should follow: 32 34 # 33 35 # * Keep your GET requests safe and idempotent. More reading material: … … 35 37 # * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 36 38 # * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look for "Expires: at end of session" 39 # 40 # If you need to construct a request yourself, but still want to take advantage of forgery protection, you can grab the 41 # authenticity_token using the form_authenticity_token helper method and make it part of the parameters yourself. 37 42 # 38 43 # Example: … … 62 67 # The actual before_filter that is used. Modify this to change how you handle unverified requests. 63 68 def verify_authenticity_token 64 verified_request? || raise(ActionController::Invalid Token)69 verified_request? || raise(ActionController::InvalidAuthenticityToken) 65 70 end 66 71 trunk/actionpack/lib/action_controller/rescue.rb
r7618 r7623 14 14 DEFAULT_RESCUE_RESPONSE = :internal_server_error 15 15 DEFAULT_RESCUE_RESPONSES = { 16 'ActionController::RoutingError' => :not_found,17 'ActionController::UnknownAction' => :not_found,18 'ActiveRecord::RecordNotFound' => :not_found,19 'ActiveRecord::StaleObjectError' => :conflict,20 'ActiveRecord::RecordInvalid' => :unprocessable_entity,21 'ActiveRecord::RecordNotSaved' => :unprocessable_entity,22 'ActionController::MethodNotAllowed' => :method_not_allowed,23 'ActionController::NotImplemented' => :not_implemented,24 'ActionController::Invalid Token'=> :unprocessable_entity16 'ActionController::RoutingError' => :not_found, 17 'ActionController::UnknownAction' => :not_found, 18 'ActiveRecord::RecordNotFound' => :not_found, 19 'ActiveRecord::StaleObjectError' => :conflict, 20 'ActiveRecord::RecordInvalid' => :unprocessable_entity, 21 'ActiveRecord::RecordNotSaved' => :unprocessable_entity, 22 'ActionController::MethodNotAllowed' => :method_not_allowed, 23 'ActionController::NotImplemented' => :not_implemented, 24 'ActionController::InvalidAuthenticityToken' => :unprocessable_entity 25 25 } 26 26 trunk/actionpack/test/controller/request_forgery_protection_test.rb
r7596 r7623 52 52 53 53 def test_should_not_allow_post_without_token 54 assert_raises(ActionController::Invalid Token) { post :index }54 assert_raises(ActionController::InvalidAuthenticityToken) { post :index } 55 55 end 56 56 57 57 def test_should_not_allow_put_without_token 58 assert_raises(ActionController::Invalid Token) { put :index }58 assert_raises(ActionController::InvalidAuthenticityToken) { put :index } 59 59 end 60 60 61 61 def test_should_not_allow_delete_without_token 62 assert_raises(ActionController::Invalid Token) { delete :index }62 assert_raises(ActionController::InvalidAuthenticityToken) { delete :index } 63 63 end 64 64 65 65 def test_should_not_allow_xhr_post_without_token 66 assert_raises(ActionController::Invalid Token) { xhr :post, :index }66 assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index } 67 67 end 68 68 69 69 def test_should_not_allow_xhr_put_without_token 70 assert_raises(ActionController::Invalid Token) { xhr :put, :index }70 assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index } 71 71 end 72 72 73 73 def test_should_not_allow_xhr_delete_without_token 74 assert_raises(ActionController::Invalid Token) { xhr :delete, :index }74 assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index } 75 75 end 76 76 … … 162 162 163 163 def test_should_not_allow_post_without_token 164 assert_raises(ActionController::Invalid Token) { post :index }164 assert_raises(ActionController::InvalidAuthenticityToken) { post :index } 165 165 end 166 166 167 167 def test_should_not_allow_put_without_token 168 assert_raises(ActionController::Invalid Token) { put :index }168 assert_raises(ActionController::InvalidAuthenticityToken) { put :index } 169 169 end 170 170 171 171 def test_should_not_allow_delete_without_token 172 assert_raises(ActionController::Invalid Token) { delete :index }172 assert_raises(ActionController::InvalidAuthenticityToken) { delete :index } 173 173 end 174 174 175 175 def test_should_not_allow_xhr_post_without_token 176 assert_raises(ActionController::Invalid Token) { xhr :post, :index }176 assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index } 177 177 end 178 178 179 179 def test_should_not_allow_xhr_put_without_token 180 assert_raises(ActionController::Invalid Token) { xhr :put, :index }180 assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index } 181 181 end 182 182 183 183 def test_should_not_allow_xhr_delete_without_token 184 assert_raises(ActionController::Invalid Token) { xhr :delete, :index }184 assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index } 185 185 end 186 186 trunk/railties/CHANGELOG
r7619 r7623 1 1 *SVN* 2 2 3 * Added a default 422.html page to be rendered when ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved, or ActionController::Invalid Token is raised [DHH]3 * Added a default 422.html page to be rendered when ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved, or ActionController::InvalidAuthenticityToken is raised [DHH] 4 4 5 5 * Added --skip-fixture option to script/generate model #6862 [sandofsky]
