Merge pull request #14945 from tomkadwill/form_authenticity_param_refactor

Moved 'params[request_forgery_protection_token]' into its own method and...
2014-05-06 14:30:21 -03:00 · 2014-05-06 14:30:21 -03:00 · 2bb008a6cf
parent bdcd5f94b2 7d5a858e5c
commit 2bb008a6cf
3 changed files with 34 additions and 6 deletions
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@ -1,3 +1,10 @@
+*   Moved `params[request_forgery_protection_token]` into its own method
+    and improved tests.
+
+    Fixes #11316.
+
+    *Tom Kadwill*
+
 *   Added verification of route constraints given as a Proc or an object responding
    to `:matches?`. Previously, when given an non-complying object, it would just
    silently fail to enforce the constraint. It will now raise an `ArgumentError`
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@ -247,7 +247,7 @@ module ActionController #:nodoc:
      # * Does the X-CSRF-Token header match the form_authenticity_token
      def verified_request?
        !protect_against_forgery? || request.get? || request.head? ||
-          form_authenticity_token == params[request_forgery_protection_token] ||
+          form_authenticity_token == form_authenticity_param ||
          form_authenticity_token == request.headers['X-CSRF-Token']
      end

--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@ -462,16 +462,37 @@ end
 class CustomAuthenticityParamControllerTest < ActionController::TestCase
  def setup
    super
-    ActionController::Base.request_forgery_protection_token = :custom_token_name
+    @old_logger = ActionController::Base.logger
+    @logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
+    @token = "foobar"
+    ActionController::Base.request_forgery_protection_token = @token
  end

  def teardown
-    ActionController::Base.request_forgery_protection_token = :authenticity_token
+    ActionController::Base.request_forgery_protection_token = nil
    super
  end

-  def test_should_allow_custom_token
+  def test_should_not_warn_if_form_authenticity_param_matches_form_authenticity_token
+    ActionController::Base.logger = @logger
+    SecureRandom.stubs(:base64).returns(@token)
+
+    begin
      post :index, :custom_token_name => 'foobar'
-    assert_response :ok
+      assert_equal 0, @logger.logged(:warn).size
+    ensure
+      ActionController::Base.logger = @old_logger
+    end
+  end
+
+  def test_should_warn_if_form_authenticity_param_does_not_match_form_authenticity_token
+    ActionController::Base.logger = @logger
+
+    begin
+      post :index, :custom_token_name => 'bazqux'
+      assert_equal 1, @logger.logged(:warn).size
+    ensure
+      ActionController::Base.logger = @old_logger
+    end
  end
 end