Merged r3051 from trunk with some changes for 0.8 sessions.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/0.8-stable@3053 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/application.rb

@@ -23,6 +23,7 @@ class ApplicationController < ActionController::Base
 
   before_filter :user_setup, :check_if_login_required, :set_localization
   filter_parameter_logging :password
+  protect_from_forgery :secret => session.first[:secret]
 
   include Redmine::MenuManager::MenuController
   helper Redmine::MenuManager::MenuHelper

config/environments/test.rb

@@ -15,3 +15,6 @@
 
 config.action_mailer.perform_deliveries = true
 config.action_mailer.delivery_method = :test
+
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false

config/environments/test_pgsql.rb

@@ -15,3 +15,7 @@
 
 config.action_mailer.perform_deliveries = true
 config.action_mailer.delivery_method = :test
+
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false
+

config/environments/test_sqlite3.rb

@@ -15,3 +15,6 @@
 
 config.action_mailer.perform_deliveries = true
 config.action_mailer.delivery_method = :test
+
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false

doc/CHANGELOG

@@ -11,6 +11,7 @@ http://www.redmine.org/
 * Fixed: First date of the date range not included in the time report with SQLite
 * Fixed: Password field not styled correctly on alternative stylesheet
 * Fixed: Error when sumbitting a POST request that requires a login
+* Fixed: CSRF vulnerabilities
 
 == 2009-11-04 v0.8.6