kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity
11522 commits 72 branches 493 tags 355 MiB
Commit graph

21 commits

Author SHA1 Message Date
Joshua Peek
24ad9ae3d2 Cleanup route reloading in tests. Prefer with_routing over using ActionController::Routing::Routes directly 2009-08-16 21:14:26 -05:00
Ross Kaffenburger and Bryan Helmkamp
256b0ee8e3 Don't check authenticity tokens for any AJAX requests 2009-04-15 16:04:21 -07:00
Jeremy Kemper
1c36172c13 Ruby 1.9 compat: rename deprecated assert_raises to assert_raise. 
[#1617 state:resolved]
 2009-03-08 13:11:58 -07:00
Michael Koziarski
9fdb15e60f Change the forgery token implementation to just be a simple random string. 
This deprecates the use of :secret and :digest which were only needed when we were hashing session ids.
 2008-11-23 14:28:34 +01:00
Jeremy Kemper
eeea1a26ec Merge branch 'master' into testing 2008-11-15 12:21:04 -08:00
Jeff Cohen
fbbcd6f29a Changed request forgery protection to only worry about HTML-formatted content requests. 
Signed-off-by: Michael Koziarski <michael@koziarski.com>
 2008-11-13 11:23:21 +01:00
Jeremy Kemper
c82e8e1f48 Move controller assertions from base TestCase to AC:: and AV::TestCase 2008-11-07 15:42:34 -05:00
rick
74fd17346f Merge branch 'master' of git@github.com:rails/rails 2008-05-13 09:41:10 -07:00
Peter Jones
2a986200b9 Bug: Earlier Check for Session in Forgery Protection 
The session is used by the form_authenticity_token method before it is
tested to be valid.  This patch moves a few lines around so that the
session is validated first.

Without this patch, if you try to use forgery protection with sessions
turned off, you get this exception message:

  undefined method `session_id' for {}:Hash

The patch includes a test that can be used to see this behavior before
the request_forgery_protection.rb file is patched to fix it.
 2008-05-11 13:27:34 -05:00
rick
c8451aeeea change ActionController::RequestForgeryProtection to use Mime::Type#verify_request? [#73] 2008-05-06 02:58:32 -07:00
rick
0697d17d12 Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved] 2008-05-06 00:42:24 -07:00
Michael Koziarski
5ef8a81b84 Don't append the forgery token to an ajax request if it's serializing a form, prevents duplicate tokens. Closes #10684 [macournoyer] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2008-01-08 21:17:08 +00:00
Jeremy Kemper
9d755f1983 require abstract_unit directly since test is in load path 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2008-01-05 13:32:06 +00:00
Jeremy Kemper
0ee1cb2cd3 Ruby 1.9 compat, consistent load paths 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-10-02 05:32:14 +00:00
Rick Olson
82ff27766d Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-28 16:50:48 +00:00
Michael Koziarski
c1bdf027d8 Add missing require 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-28 16:48:59 +00:00
Rick Olson
5edc81dcc2 Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-28 15:55:45 +00:00
David Heinemeier Hansson
82c1fed89f Protect button_to behind protect_from_forgery (closes #9675) [lifo] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-25 16:50:35 +00:00
David Heinemeier Hansson
bdf5672077 Change from InvalidToken to InvalidAuthenticityToken to be more specific 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7623 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-24 23:12:25 +00:00
Rick Olson
c619003854 Rename some RequestForgeryProtection methods. The class method is now #protect_from_forgery, and the default parameter is now 'authenticity_token'. [Rick] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7596 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-23 18:14:44 +00:00
Rick Olson
4e3ed5bc44 Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-23 02:32:55 +00:00