Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge pull request #14280 from joho/make_csrf_failure_logging_optional

Make CSRF failure logging optional/configurable.
  • Loading branch information...
commit 2af7a7b19cd7735530f5fd4762896694f5955051 2 parents dc8bfc8 + 67584c6
@spastorino spastorino authored
View
5 actionpack/CHANGELOG.md
@@ -2,5 +2,10 @@
`default_url_options` methods.
*Tony Wooster*
+* Make logging of CSRF failures optional (but on by default) with the
+ `log_warning_on_csrf_failure` configuration setting in
+ ActionController::RequestForgeryProtection
+
+ *John Barton*
Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
View
8 actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -68,6 +68,10 @@ module RequestForgeryProtection
config_accessor :allow_forgery_protection
self.allow_forgery_protection = true if allow_forgery_protection.nil?
+ # Controls whether a CSRF failure logs a warning. On by default.
+ config_accessor :log_warning_on_csrf_failure
+ self.log_warning_on_csrf_failure = true
+
helper_method :form_authenticity_token
helper_method :protect_against_forgery?
end
@@ -193,7 +197,9 @@ def verify_authenticity_token
mark_for_same_origin_verification!
if !verified_request?
- logger.warn "Can't verify CSRF token authenticity" if logger
+ if logger && log_warning_on_csrf_failure
+ logger.warn "Can't verify CSRF token authenticity"
+ end
handle_unverified_request
end
end
View
16 actionpack/test/controller/request_forgery_protection_test.rb
@@ -289,6 +289,22 @@ def test_should_warn_on_missing_csrf_token
end
end
+ def test_should_not_warn_if_csrf_logging_disabled
+ old_logger = ActionController::Base.logger
+ logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
+ ActionController::Base.logger = logger
+ ActionController::Base.log_warning_on_csrf_failure = false
+
+ begin
+ assert_blocked { post :index }
+
+ assert_equal 0, logger.logged(:warn).size
+ ensure
+ ActionController::Base.logger = old_logger
+ ActionController::Base.log_warning_on_csrf_failure = true
+ end
+ end
+
def test_should_only_allow_same_origin_js_get_with_xhr_header
assert_cross_origin_blocked { get :same_origin_js }
assert_cross_origin_blocked { get :same_origin_js, format: 'js' }
Please sign in to comment.
Something went wrong with that request. Please try again.