diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 1802acc568..803782113d 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -1,5 +1,6 @@ module ActionController #:nodoc: - class InvalidToken < ActionControllerError; end + class InvalidAuthenticityToken < ActionControllerError #:nodoc: + end module RequestForgeryProtection def self.included(base) @@ -18,23 +19,27 @@ module ActionController #:nodoc: # HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you'll have a different authentication # scheme there anyway). Also, GET requests are not protected as these should be indempotent anyway. # - # You turn this on with the #protect_from_forgery method, which will perform the check and raise an ActionController::InvalidToken if - # the token doesn't match what was expected. And it will add a _token parameter to all forms that are automatically generated - # by Rails. You can customize the error message given through public/422.html. + # You turn this on with the #protect_from_forgery method, which will perform the check and raise + # an ActionController::InvalidAuthenticityToken if the token doesn't match what was expected. And it will add + # a _authenticity_token parameter to all forms that are automatically generated by Rails. You can customize the error message + # given through public/422.html. # # Learn more about CSRF (Cross-Site Request Forgery) attacks: # # * http://isc.sans.org/diary.html?storyid=1750 # * http://en.wikipedia.org/wiki/Cross-site_request_forgery # - # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application. There are a few guidelines you - # should follow: + # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application. + # There are a few guidelines you should follow: # # * Keep your GET requests safe and idempotent. More reading material: # * http://www.xml.com/pub/a/2002/04/24/deviant.html # * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 # * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look for "Expires: at end of session" # + # If you need to construct a request yourself, but still want to take advantage of forgery protection, you can grab the + # authenticity_token using the form_authenticity_token helper method and make it part of the parameters yourself. + # # Example: # # class FooController < ApplicationController @@ -61,7 +66,7 @@ module ActionController #:nodoc: protected # The actual before_filter that is used. Modify this to change how you handle unverified requests. def verify_authenticity_token - verified_request? || raise(ActionController::InvalidToken) + verified_request? || raise(ActionController::InvalidAuthenticityToken) end # Returns true or false if a request is verified. Checks: diff --git a/actionpack/lib/action_controller/rescue.rb b/actionpack/lib/action_controller/rescue.rb index 379bc76281..5556c1d15a 100644 --- a/actionpack/lib/action_controller/rescue.rb +++ b/actionpack/lib/action_controller/rescue.rb @@ -13,15 +13,15 @@ module ActionController #:nodoc: DEFAULT_RESCUE_RESPONSE = :internal_server_error DEFAULT_RESCUE_RESPONSES = { - 'ActionController::RoutingError' => :not_found, - 'ActionController::UnknownAction' => :not_found, - 'ActiveRecord::RecordNotFound' => :not_found, - 'ActiveRecord::StaleObjectError' => :conflict, - 'ActiveRecord::RecordInvalid' => :unprocessable_entity, - 'ActiveRecord::RecordNotSaved' => :unprocessable_entity, - 'ActionController::MethodNotAllowed' => :method_not_allowed, - 'ActionController::NotImplemented' => :not_implemented, - 'ActionController::InvalidToken' => :unprocessable_entity + 'ActionController::RoutingError' => :not_found, + 'ActionController::UnknownAction' => :not_found, + 'ActiveRecord::RecordNotFound' => :not_found, + 'ActiveRecord::StaleObjectError' => :conflict, + 'ActiveRecord::RecordInvalid' => :unprocessable_entity, + 'ActiveRecord::RecordNotSaved' => :unprocessable_entity, + 'ActionController::MethodNotAllowed' => :method_not_allowed, + 'ActionController::NotImplemented' => :not_implemented, + 'ActionController::InvalidAuthenticityToken' => :unprocessable_entity } DEFAULT_RESCUE_TEMPLATE = 'diagnostics' diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 59df4615c5..98ca44c8cb 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -51,27 +51,27 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase end def test_should_not_allow_post_without_token - assert_raises(ActionController::InvalidToken) { post :index } + assert_raises(ActionController::InvalidAuthenticityToken) { post :index } end def test_should_not_allow_put_without_token - assert_raises(ActionController::InvalidToken) { put :index } + assert_raises(ActionController::InvalidAuthenticityToken) { put :index } end def test_should_not_allow_delete_without_token - assert_raises(ActionController::InvalidToken) { delete :index } + assert_raises(ActionController::InvalidAuthenticityToken) { delete :index } end def test_should_not_allow_xhr_post_without_token - assert_raises(ActionController::InvalidToken) { xhr :post, :index } + assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index } end def test_should_not_allow_xhr_put_without_token - assert_raises(ActionController::InvalidToken) { xhr :put, :index } + assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index } end def test_should_not_allow_xhr_delete_without_token - assert_raises(ActionController::InvalidToken) { xhr :delete, :index } + assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index } end def test_should_allow_post_with_token @@ -161,27 +161,27 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase end def test_should_not_allow_post_without_token - assert_raises(ActionController::InvalidToken) { post :index } + assert_raises(ActionController::InvalidAuthenticityToken) { post :index } end def test_should_not_allow_put_without_token - assert_raises(ActionController::InvalidToken) { put :index } + assert_raises(ActionController::InvalidAuthenticityToken) { put :index } end def test_should_not_allow_delete_without_token - assert_raises(ActionController::InvalidToken) { delete :index } + assert_raises(ActionController::InvalidAuthenticityToken) { delete :index } end def test_should_not_allow_xhr_post_without_token - assert_raises(ActionController::InvalidToken) { xhr :post, :index } + assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index } end def test_should_not_allow_xhr_put_without_token - assert_raises(ActionController::InvalidToken) { xhr :put, :index } + assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index } end def test_should_not_allow_xhr_delete_without_token - assert_raises(ActionController::InvalidToken) { xhr :delete, :index } + assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index } end def test_should_allow_post_with_token diff --git a/railties/CHANGELOG b/railties/CHANGELOG index 6bca1a5824..b015d92060 100644 --- a/railties/CHANGELOG +++ b/railties/CHANGELOG @@ -1,6 +1,6 @@ *SVN* -* Added a default 422.html page to be rendered when ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved, or ActionController::InvalidToken is raised [DHH] +* Added a default 422.html page to be rendered when ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved, or ActionController::InvalidAuthenticityToken is raised [DHH] * Added --skip-fixture option to script/generate model #6862 [sandofsky]