Handle non-string authenticity tokens

Non-string authenticity tokens raised NoMethodError when decoding the masked token.
2022-11-09 12:12:34 -05:00 · 2015-02-12 22:24:45 +02:00 · 2015-02-12 22:24:45 +02:00 · bf067b41e5
commit bf067b41e5
parent fa63448420
3 changed files with 13 additions and 1 deletions
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@ -1,3 +1,8 @@
+*   Non-string authenticity tokens do not raise NoMethodError when decoding
+    the masked token.
+
+    *Ville Lautanala*
+
 *   ActionController#translate supports symbols as shortcuts.
    When shortcut is given it also lookups without action name.

--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@ -279,7 +279,7 @@ module ActionController #:nodoc:

        begin
          masked_token = Base64.strict_decode64(encoded_masked_token)
-        rescue ArgumentError # encoded_masked_token is invalid Base64
+        rescue ArgumentError, NoMethodError # encoded_masked_token is invalid Base64
          return false
        end

--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@ -374,6 +374,13 @@ module RequestForgeryProtectionTests
    end
  end

+  def test_should_not_raise_error_if_token_is_not_a_string
+    @controller.unstub(:valid_authenticity_token?)
+    assert_blocked do
+      patch :index, params: { custom_authenticity_token: { foo: 'bar' } }
+    end
+  end
+
  def assert_blocked
    session[:something_like_user_id] = 1
    yield