Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Moved 'params[request_forgery_protection_token]' into its own method …

…and improved tests.
  • Loading branch information...
commit 7d5a858e5ce54d449066ad0a00917248475fa7f0 1 parent e167a54
@tomkadwill tomkadwill authored
View
7 actionpack/CHANGELOG.md
@@ -1,3 +1,10 @@
+* Moved `params[request_forgery_protection_token]` into its own method
+ and improved tests.
+
+ Fixes #11316.
+
+ *Tom Kadwill*
+
* Added verification of route constraints given as a Proc or an object responding
to `:matches?`. Previously, when given an non-complying object, it would just
silently fail to enforce the constraint. It will now raise an `ArgumentError`
View
2  actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -247,7 +247,7 @@ def non_xhr_javascript_response?
# * Does the X-CSRF-Token header match the form_authenticity_token
def verified_request?
!protect_against_forgery? || request.get? || request.head? ||
- form_authenticity_token == params[request_forgery_protection_token] ||
+ form_authenticity_token == form_authenticity_param ||
form_authenticity_token == request.headers['X-CSRF-Token']
end
View
31 actionpack/test/controller/request_forgery_protection_test.rb
@@ -462,16 +462,37 @@ def test_should_allow_all_methods_without_token
class CustomAuthenticityParamControllerTest < ActionController::TestCase
def setup
super
- ActionController::Base.request_forgery_protection_token = :custom_token_name
+ @old_logger = ActionController::Base.logger
+ @logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
+ @token = "foobar"
+ ActionController::Base.request_forgery_protection_token = @token
end
def teardown
- ActionController::Base.request_forgery_protection_token = :authenticity_token
+ ActionController::Base.request_forgery_protection_token = nil
super
end
- def test_should_allow_custom_token
- post :index, :custom_token_name => 'foobar'
- assert_response :ok
+ def test_should_not_warn_if_form_authenticity_param_matches_form_authenticity_token
+ ActionController::Base.logger = @logger
+ SecureRandom.stubs(:base64).returns(@token)
+
+ begin
+ post :index, :custom_token_name => 'foobar'
+ assert_equal 0, @logger.logged(:warn).size
+ ensure
+ ActionController::Base.logger = @old_logger
+ end
+ end
+
+ def test_should_warn_if_form_authenticity_param_does_not_match_form_authenticity_token
+ ActionController::Base.logger = @logger
+
+ begin
+ post :index, :custom_token_name => 'bazqux'
+ assert_equal 1, @logger.logged(:warn).size
+ ensure
+ ActionController::Base.logger = @old_logger
+ end
end
end
Please sign in to comment.
Something went wrong with that request. Please try again.