kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity
23613 commits 72 branches 493 tags 355 MiB
Commit graph

22 commits

Author SHA1 Message Date
Xavier Noria
00e1d0832e Merge branch 'master' of git://github.com/lifo/docrails 
Conflicts:
	actionmailer/lib/action_mailer/base.rb
	activesupport/lib/active_support/core_ext/kernel/requires.rb
 2011-05-25 22:48:47 +02:00
Sebastian Martinez
fcdb5dc557 Remove extra white spaces on ActionPack docs. 2011-05-23 20:22:33 -03:00
Jon Leighton
d411c85a65 Replace references to ActiveSupport::SecureRandom with just SecureRandom, and require 'securerandom' from the stdlib when active support is required. 2011-05-23 20:25:44 +01:00
José Valim
59705deeaf Warn if we cannot verify CSRF token authenticity 2011-05-09 17:23:41 +02:00
Michael Koziarski
3d907a68d9 Prepend the CSRF filter to make it much more difficult to execute application code before it fires. 2011-02-23 09:00:41 +13:00
Michael Koziarski
ae19e4141f Change the CSRF whitelisting to only apply to get requests 
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
 2011-02-08 14:57:08 -08:00
Ryan Bigg
167964149e Add explicit statement that verify_authenticity_token can be turned off for actions. 2010-11-27 07:57:10 +11:00
Xavier Noria
a87b92db7b revises implementation and documentation of csrf_meta_tags, and aliases csrf_meta_tag to it for backwards compatibilty 2010-09-11 11:05:00 +02:00
José Valim
599e46bf24 Revert "Setup explicit requires for files with exceptions. Removed them from autoloading." 
Booting a new Rails application does not work after this commit [#5359 state:open]

This reverts commit 38a421b34d.
 2010-09-02 21:11:03 +02:00
Łukasz Strzałkowski
38a421b34d Setup explicit requires for files with exceptions. Removed them from autoloading. 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-09-02 11:54:04 +02:00
Joost Baaij
c28d46a92d Reflect how CSRF protection now works and refer to the Security Guide for more information 2010-08-26 23:03:30 +02:00
Evgeniy Dolzhenko
ccf9577aee Fix a bunch of minor spelling mistakes 2010-06-11 14:15:34 +04:00
wycats
ffe001f19d Changes made while working on upgrading cells to Rails 3 2010-06-02 22:56:41 +02:00
José Valim
4163ccec23 Clean up the config object in ActionPack. Create config_accessor which just delegates to the config object, reducing the number of deprecations and add specific tests. 2010-04-22 12:00:13 +02:00
Carl Lerche
8b4dca109a ActionController::Base.request_forgery_protection_token should actually be the name of the token and not true. 2010-03-11 10:08:18 -08:00
Carl Lerche
01f0e47663 Move request forgery protection configuration to the AC config object 
This is an interim solution pending revisiting the rails
	framework configuration situation.
 2010-03-08 14:02:41 -08:00
Jeremy Kemper
e5ab4b0d07 Convert to class_attribute 2010-02-01 02:02:42 -08:00
Carl Lerche
2e87196d14 Use extlib_inheritable_accessor in request_forgery_protection.rb. 
For some reason the current class_inheritable_accessor does not play nice with included hooks. class_inheritable_accessor will be revised shortly.
 2009-12-29 13:21:36 -08:00
Joshua Peek
0f8a5c7954 Merge Session stuff into RackConvenience 2009-12-20 20:00:04 -06:00
Jeremy Kemper
e1385be025 Extract form_authenticity_param instance method so it's overridable in subclasses 2009-11-17 23:40:06 -08:00
Yehuda Katz
0b2dd7afd9 Reorganize CSRF a bit 2009-10-28 00:12:35 -07:00
Yehuda Katz
bd6b61be88 Rename /base to /metal and make base.rb and metal.rb top-level to reflect their module locations 2009-08-06 19:52:11 -03:00
Renamed from actionpack/lib/action_controller/base/request_forgery_protection.rb (Browse further)