kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Added request.head? to forgery protection code

Browse source
This commit is contained in:
Michiel Sikkes 2013-01-22 22:01:57 +01:00
parent 64245e02e3
commit 2ef138f0d4
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
actionpack/lib/action_controller/metal/request_forgery_protection.rb
View file

@ -162,11 +162,11 @@ module ActionController #:nodoc:
# Returns true or false if a request is verified. Checks:
#
# * is it a GET request? Gets should be safe and idempotent
# * is it a GET or HEAD request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given token value from the params?
# * Does the X-CSRF-Token header match the form_authenticity_token
def verified_request?
!protect_against_forgery? || request.get? ||
!protect_against_forgery? || request.get? || request.head? ||
form_authenticity_token == params[request_forgery_protection_token] ||
form_authenticity_token == request.headers['X-CSRF-Token']
end