Browse files

Make CSRF failure logging optional/configurable.

Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.
  • Loading branch information...
1 parent 475c965 commit 67584c6ae37c88f8abba6f4fbdeedc7c1a6dfa1b @joho joho committed Mar 5, 2014
View
5 actionpack/CHANGELOG.md
@@ -2,5 +2,10 @@
`default_url_options` methods.
*Tony Wooster*
+* Make logging of CSRF failures optional (but on by default) with the
+ `log_warning_on_csrf_failure` configuration setting in
+ ActionController::RequestForgeryProtection
+
+ *John Barton*
Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
View
8 actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -68,6 +68,10 @@ module RequestForgeryProtection
config_accessor :allow_forgery_protection
self.allow_forgery_protection = true if allow_forgery_protection.nil?
+ # Controls whether a CSRF failure logs a warning. On by default.
+ config_accessor :log_warning_on_csrf_failure
+ self.log_warning_on_csrf_failure = true
+
helper_method :form_authenticity_token
helper_method :protect_against_forgery?
end
@@ -193,7 +197,9 @@ def verify_authenticity_token
mark_for_same_origin_verification!
if !verified_request?
- logger.warn "Can't verify CSRF token authenticity" if logger
+ if logger && log_warning_on_csrf_failure
+ logger.warn "Can't verify CSRF token authenticity"
+ end
handle_unverified_request
end
end
View
16 actionpack/test/controller/request_forgery_protection_test.rb
@@ -289,6 +289,22 @@ def test_should_warn_on_missing_csrf_token
end
end
+ def test_should_not_warn_if_csrf_logging_disabled
+ old_logger = ActionController::Base.logger
+ logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
+ ActionController::Base.logger = logger
+ ActionController::Base.log_warning_on_csrf_failure = false
+
+ begin
+ assert_blocked { post :index }
+
+ assert_equal 0, logger.logged(:warn).size
+ ensure
+ ActionController::Base.logger = old_logger
+ ActionController::Base.log_warning_on_csrf_failure = true
+ end
+ end
+
def test_should_only_allow_same_origin_js_get_with_xhr_header
assert_cross_origin_blocked { get :same_origin_js }
assert_cross_origin_blocked { get :same_origin_js, format: 'js' }

0 comments on commit 67584c6

Please sign in to comment.