Permalink
Browse files

Allow ability to disable request forgery protection, disable it in te…

…st mode by default. Closes #9693 [lifofifo]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent b095ce6 commit 5edc81dcc2e13bdce3da01745b0d1af654342aad @technoweenie technoweenie committed Sep 28, 2007
View
@@ -1,5 +1,7 @@
*SVN*
+* Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo]
+
* Avoid calling is_missing on LoadErrors. Closes #7460. [ntalbott]
* Move Railties' Dispatcher to ActionController::Dispatcher, introduce before_ and after_dispatch callbacks, and warm up to non-CGI requests. [Jeremy Kemper]
@@ -328,8 +328,11 @@ class Base
cattr_accessor :resource_action_separator
# Sets the token parameter name for RequestForgery. Calling #protect_from_forgery sets it to :authenticity_token by default
- @@request_forgery_protection_token = nil
cattr_accessor :request_forgery_protection_token
+
+ # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
+ class_inheritable_accessor :allow_forgery_protection
+ self.allow_forgery_protection = true
# Holds the request object that's primarily used to get environment variables through access like
# <tt>request.env["REQUEST_URI"]</tt>.
@@ -8,6 +8,7 @@ def self.included(base)
class_inheritable_accessor :request_forgery_protection_options
self.request_forgery_protection_options = {}
helper_method :form_authenticity_token
+ helper_method :protect_against_forgery?
end
base.extend(ClassMethods)
end
@@ -48,6 +49,9 @@ module ClassMethods
#
# # uses one of the other session stores that uses a session_id value.
# protect_from_forgery :secret => 'my-little-pony', :except => :index
+ #
+ # # you can disable csrf protection on controller-by-controller basis:
+ # skip_before_filter :verify_authenticity_token
# end
#
# Valid Options:
@@ -75,9 +79,9 @@ def verify_authenticity_token
# * is it a GET request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given _token value from the params?
def verified_request?
- request_forgery_protection_token.nil? ||
- request.method == :get ||
- !verifiable_request_format? ||
+ !protect_against_forgery? ||
+ request.method == :get ||
+ !verifiable_request_format? ||
form_authenticity_token == params[request_forgery_protection_token]
end
@@ -110,5 +114,9 @@ def authenticity_token_from_cookie_session
session[:csrf_id] ||= CGI::Session.generate_unique_id
session.dbman.generate_digest(session[:csrf_id])
end
+
+ def protect_against_forgery?
+ allow_forgery_protection && request_forgery_protection_token
+ end
end
end
@@ -401,7 +401,7 @@ def extra_tags_for_form(html_options)
''
when /^post$/i, "", nil
html_options["method"] = "post"
- request_forgery_protection_token ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : ''
+ protect_against_forgery? ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : ''
else
html_options["method"] = "post"
content_tag(:div, tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag, :style => 'margin:0;padding:0')
@@ -421,7 +421,7 @@ def form_tag_in_block(html_options, &block)
end
def token_tag
- if request_forgery_protection_token.nil?
+ unless protect_against_forgery?
''
else
tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
@@ -739,7 +739,7 @@ def options_for_ajax(options)
js_options['parameters'] = options[:with]
end
- if request_forgery_protection_token
+ if protect_against_forgery?
if js_options['parameters']
js_options['parameters'] << " + '&"
else
@@ -203,7 +203,7 @@ def button_to(name, options = {}, html_options = {})
form_method = method.to_s == 'get' ? 'get' : 'post'
request_token_tag = ''
- if form_method == 'post' && request_forgery_protection_token
+ if form_method == 'post' && protect_against_forgery?
request_token_tag = tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
end
@@ -477,7 +477,7 @@ def method_javascript_function(method, url = '', href = nil)
submit_function << "m.setAttribute('name', '_method'); m.setAttribute('value', '#{method}'); f.appendChild(m);"
end
- if request_forgery_protection_token
+ if protect_against_forgery?
submit_function << "var s = document.createElement('input'); s.setAttribute('type', 'hidden'); "
submit_function << "s.setAttribute('name', '#{request_forgery_protection_token}'); s.setAttribute('value', '#{escape_javascript form_authenticity_token}'); f.appendChild(s);"
end
@@ -125,6 +125,18 @@ class CsrfCookieMonsterController < ActionController::Base
protect_from_forgery :only => :index
end
+class FreeCookieController < CsrfCookieMonsterController
+ self.allow_forgery_protection = false
+
+ def index
+ render :inline => "<%= form_tag('/') {} %>"
+ end
+
+ def show_button
+ render :inline => "<%= button_to('New', '/') {} %>"
+ end
+end
+
class FakeSessionDbMan
def self.generate_digest(data)
Digest::SHA1.hexdigest("secure")
@@ -147,3 +159,29 @@ class << @request.session
end
end
+class FreeCookieControllerTest < Test::Unit::TestCase
+
+ def setup
+ @controller = FreeCookieController.new
+ @request = ActionController::TestRequest.new
+ @response = ActionController::TestResponse.new
+ @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+ end
+
+ def test_should_not_render_form_with_token_tag
+ get :index
+ assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+ end
+
+ def test_should_not_render_button_to_with_token_tag
+ get :show_button
+ assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+ end
+
+ def test_should_allow_all_methods_without_token
+ [:post, :put, :delete].each do |method|
+ assert_nothing_raised { send(method, :index)}
+ end
+ end
+
+end
@@ -711,8 +711,8 @@ def posts_path
def post_path(post)
"/posts/#{post.id}"
end
-
- def request_forgery_protection_token
- nil
+
+ def protect_against_forgery?
+ false
end
end
@@ -177,9 +177,8 @@ def test_field_set_tag
expected = %(<fieldset>Hello world!</fieldset>)
assert_dom_equal expected, _erbout
end
-
- def request_forgery_protection_token
- nil
-
+
+ def protect_against_forgery?
+ false
end
end
@@ -65,6 +65,10 @@ def request_forgery_protection_token
nil
end
+ def protect_against_forgery?
+ false
+ end
+
def create_generator
block = Proc.new { |*args| yield *args if block_given? }
JavaScriptGenerator.new self, &block
@@ -89,8 +89,8 @@ def test_drop_receiving_element
assert_dom_equal %(<script type=\"text/javascript\">\n//<![CDATA[\nDroppables.add(\"droptarget1\", {accept:['tshirts','mugs'], onDrop:function(element){new Ajax.Updater('infobox', 'http://www.example.com/', {asynchronous:true, evalScripts:true, parameters:'id=' + encodeURIComponent(element.id)})}})\n//]]>\n</script>),
drop_receiving_element("droptarget1", :accept => ['tshirts','mugs'], :update => 'infobox')
end
-
- def request_forgery_protection_token
- nil
+
+ def protect_against_forgery?
+ false
end
end
@@ -268,8 +268,8 @@ def test_mail_to_with_replace_options
assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
end
- def request_forgery_protection_token
- nil
+ def protect_against_forgery?
+ false
end
end

0 comments on commit 5edc81d

Please sign in to comment.