kotovalexarian-likes-github
/
rails--rails
mirror of https://github.com/rails/rails.git
1
0
Fork 0
Code Releases Activity
8,255 Commits 72 Branches 493 Tags 355 MiB
Commit Graph

14 Commits

Author SHA1 Message Date
rick 74fd17346f Merge branch 'master' of git@github.com:rails/rails 2008-05-13 09:41:10 -07:00
Peter Jones 2a986200b9 Bug: Earlier Check for Session in Forgery Protection 
The session is used by the form_authenticity_token method before it is
tested to be valid.  This patch moves a few lines around so that the
session is validated first.

Without this patch, if you try to use forgery protection with sessions
turned off, you get this exception message:

  undefined method `session_id' for {}:Hash

The patch includes a test that can be used to see this behavior before
the request_forgery_protection.rb file is patched to fix it.
 2008-05-11 13:27:34 -05:00
rick c8451aeeea change ActionController::RequestForgeryProtection to use Mime::Type#verify_request? [#73] 2008-05-06 02:58:32 -07:00
rick 0697d17d12 Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved] 2008-05-06 00:42:24 -07:00
Michael Koziarski 5ef8a81b84 Don't append the forgery token to an ajax request if it's serializing a form, prevents duplicate tokens. Closes #10684 [macournoyer] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2008-01-08 21:17:08 +00:00
Jeremy Kemper 9d755f1983 require abstract_unit directly since test is in load path 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2008-01-05 13:32:06 +00:00
Jeremy Kemper 0ee1cb2cd3 Ruby 1.9 compat, consistent load paths 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-10-02 05:32:14 +00:00
Rick Olson 82ff27766d Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-28 16:50:48 +00:00
Michael Koziarski c1bdf027d8 Add missing require 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-28 16:48:59 +00:00
Rick Olson 5edc81dcc2 Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-28 15:55:45 +00:00
David Heinemeier Hansson 82c1fed89f Protect button_to behind protect_from_forgery (closes #9675) [lifo] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-25 16:50:35 +00:00
David Heinemeier Hansson bdf5672077 Change from InvalidToken to InvalidAuthenticityToken to be more specific 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7623 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-24 23:12:25 +00:00
Rick Olson c619003854 Rename some RequestForgeryProtection methods. The class method is now #protect_from_forgery, and the default parameter is now 'authenticity_token'. [Rick] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7596 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-23 18:14:44 +00:00
Rick Olson 4e3ed5bc44 Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
 2007-09-23 02:32:55 +00:00