kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Check that request is same-origin prior to including CSRF token in XHRs

Browse source 
[CVE-2020-8167]
This commit is contained in:
Jack McCracken 2020-05-06 11:28:07 -04:00 committed by Aaron Patterson
parent 358ff18975
commit a20fbf9bc5
No known key found for this signature in database
GPG key ID: 953170BCB4FFAFC6
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
View file

@ -52,9 +52,10 @@ createXHR = (options, done) ->
# Sending FormData will automatically set Content-Type to multipart/form-data # Sending FormData will automatically set Content-Type to multipart/form-data
if typeof options.data is 'string' if typeof options.data is 'string'
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8') xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8')
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest') unless options.crossDomain unless options.crossDomain
# Add X-CSRF-Token xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest')
CSRFProtection(xhr) # Add X-CSRF-Token
CSRFProtection(xhr)
xhr.withCredentials = !!options.withCredentials xhr.withCredentials = !!options.withCredentials
xhr.onreadystatechange = -> xhr.onreadystatechange = ->
done(xhr) if xhr.readyState is XMLHttpRequest.DONE done(xhr) if xhr.readyState is XMLHttpRequest.DONE