mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Handle non-string authenticity tokens
Non-string authenticity tokens raised NoMethodError when decoding the masked token.
This commit is contained in:
parent
fa63448420
commit
bf067b41e5
3 changed files with 13 additions and 1 deletions
|
@ -1,3 +1,8 @@
|
|||
* Non-string authenticity tokens do not raise NoMethodError when decoding
|
||||
the masked token.
|
||||
|
||||
*Ville Lautanala*
|
||||
|
||||
* ActionController#translate supports symbols as shortcuts.
|
||||
When shortcut is given it also lookups without action name.
|
||||
|
||||
|
|
|
@ -279,7 +279,7 @@ module ActionController #:nodoc:
|
|||
|
||||
begin
|
||||
masked_token = Base64.strict_decode64(encoded_masked_token)
|
||||
rescue ArgumentError # encoded_masked_token is invalid Base64
|
||||
rescue ArgumentError, NoMethodError # encoded_masked_token is invalid Base64
|
||||
return false
|
||||
end
|
||||
|
||||
|
|
|
@ -374,6 +374,13 @@ module RequestForgeryProtectionTests
|
|||
end
|
||||
end
|
||||
|
||||
def test_should_not_raise_error_if_token_is_not_a_string
|
||||
@controller.unstub(:valid_authenticity_token?)
|
||||
assert_blocked do
|
||||
patch :index, params: { custom_authenticity_token: { foo: 'bar' } }
|
||||
end
|
||||
end
|
||||
|
||||
def assert_blocked
|
||||
session[:something_like_user_id] = 1
|
||||
yield
|
||||
|
|
Loading…
Reference in a new issue