kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

revises implementation and documentation of csrf_meta_tags, and aliases csrf_meta_tag to it for backwards compatibilty

Browse source
This commit is contained in:
Xavier Noria 2010-09-11 11:04:19 +02:00
parent f6153f74da
commit a87b92db7b
7 changed files with 34 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
actionpack/CHANGELOG
View file

@ -1,6 +1,6 @@
*Rails 3.1.0 (unreleased)* *Rails 3.1.0 (unreleased)*
* No changes * Renames csrf_meta_tag -> csrf_meta_tags, and aliases csrf_meta_tag for backwards compatibility. [fxn]
*Rails 3.0.0 (August 29, 2010)* *Rails 3.0.0 (August 29, 2010)*

4
actionpack/lib/action_controller/metal/request_forgery_protection.rb
View file

@ -17,11 +17,11 @@ module ActionController #:nodoc:
# which will check the token and raise an ActionController::InvalidAuthenticityToken # which will check the token and raise an ActionController::InvalidAuthenticityToken
# if it doesn't match what was expected. A call to this method is generated for new # if it doesn't match what was expected. A call to this method is generated for new
# \Rails applications by default. You can customize the error message by editing # \Rails applications by default. You can customize the error message by editing
# public/422.html. # public/422.html.
# #
# The token parameter is named <tt>authenticity_token</tt> by default. The name and # The token parameter is named <tt>authenticity_token</tt> by default. The name and
# value of this token must be added to every layout that renders forms by including # value of this token must be added to every layout that renders forms by including
# <tt>csrf_meta_tag</tt> in the html +head+. # <tt>csrf_meta_tags</tt> in the html +head+.
# #
# Learn more about CSRF attacks and securing your application in the # Learn more about CSRF attacks and securing your application in the
# {Ruby on Rails Security Guide}[http://guides.rubyonrails.org/security.html]. # {Ruby on Rails Security Guide}[http://guides.rubyonrails.org/security.html].

28
actionpack/lib/action_view/helpers/csrf_helper.rb
View file

@ -1,14 +1,30 @@
require 'active_support/core_ext/string/strip'
module ActionView module ActionView
# = Action View CSRF Helper # = Action View CSRF Helper
module Helpers module Helpers
module CsrfHelper module CsrfHelper
# Returns a meta tag with the cross-site request forgery protection token # Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site
# for forms to use. Place this in your head. # request forgery protection parameter and token, respectively.
def csrf_meta_tag #
if protect_against_forgery? # <head>
%(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe # <%= csrf_meta_tags %>
end # </head>
#
# These are used to generate the dynamic forms that implement non-remote links with
# <tt>:method</tt>.
#
# Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
# so they do not use these tags.
def csrf_meta_tags
<<-METAS.strip_heredoc.html_safe if protect_against_forgery?
<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>
<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>
METAS
end end
# For backwards compatibility.
alias csrf_meta_tag csrf_meta_tags
end end
end end
end end

8
actionpack/test/controller/request_forgery_protection_test.rb
View file

@ -1,5 +1,6 @@
require 'abstract_unit' require 'abstract_unit'
require 'digest/sha1' require 'digest/sha1'
require 'active_support/core_ext/string/strip'
# common controller actions # common controller actions
module RequestForgeryProtectionActions module RequestForgeryProtectionActions
@ -16,7 +17,7 @@ module RequestForgeryProtectionActions
end end
def meta def meta
render :inline => "<%= csrf_meta_tag %>" render :inline => "<%= csrf_meta_tags %>"
end end
def rescue_action(e) raise e end def rescue_action(e) raise e end
@ -219,7 +220,10 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase
test 'should emit a csrf-token meta tag' do test 'should emit a csrf-token meta tag' do
ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?') ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?')
get :meta get :meta
assert_equal %(<meta name="csrf-param" content="authenticity_token"/>\n<meta name="csrf-token" content="cf50faa3fe97702ca1ae&lt;=?"/>), @response.body assert_equal <<-METAS.strip_heredoc, @response.body
<meta name="csrf-param" content="authenticity_token"/>
<meta name="csrf-token" content="cf50faa3fe97702ca1ae&lt;=?"/>
METAS
end end
end end

2
railties/guides/source/getting_started.textile
View file

@ -559,7 +559,7 @@ The view is only part of the story of how HTML is displayed in your web browser.
<title>Blog</title> <title>Blog</title>
<%= stylesheet_link_tag :all %> <%= stylesheet_link_tag :all %>
<%= javascript_include_tag :defaults %> <%= javascript_include_tag :defaults %>
<%= csrf_meta_tag %> <%= csrf_meta_tags %>
</head> </head>
<body style="background: #EEEEEE;"> <body style="background: #EEEEEE;">

2
railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt
View file

@ -4,7 +4,7 @@
<title><%= app_const_base %></title> <title><%= app_const_base %></title>
<%%= stylesheet_link_tag :all %> <%%= stylesheet_link_tag :all %>
<%%= javascript_include_tag :defaults %> <%%= javascript_include_tag :defaults %>
<%%= csrf_meta_tag %> <%%= csrf_meta_tags %>
</head> </head>
<body> <body>

2
railties/test/application/configuration_test.rb
View file

@ -211,7 +211,7 @@ module ApplicationTests
protect_from_forgery protect_from_forgery
def index def index
render :inline => "<%= csrf_meta_tag %>" render :inline => "<%= csrf_meta_tags %>"
end end
end end