Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Protect button_to behind protect_from_forgery (closes #9675) [lifo]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit 82c1fed89fe6dae8f44b6647dd94fc68f01eaa81 1 parent 106b236
@dhh dhh authored
View
9 actionpack/lib/action_view/helpers/url_helper.rb
@@ -201,7 +201,12 @@ def button_to(name, options = {}, html_options = {})
end
form_method = method.to_s == 'get' ? 'get' : 'post'
-
+
+ request_token_tag = ''
+ if form_method == 'post' && request_forgery_protection_token
+ request_token_tag = tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
+ end
+
if confirm = html_options.delete("confirm")
html_options["onclick"] = "return #{confirm_javascript_function(confirm)};"
end
@@ -212,7 +217,7 @@ def button_to(name, options = {}, html_options = {})
html_options.merge!("type" => "submit", "value" => name)
"<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" +
- method_tag + tag("input", html_options) + "</div></form>"
+ method_tag + tag("input", html_options) + request_token_tag + "</div></form>"
end
View
144 actionpack/test/controller/request_forgery_protection_test.rb
@@ -4,42 +4,21 @@
map.connect ':controller/:action/:id'
end
-class RequestForgeryProtectionController < ActionController::Base
- protect_from_forgery :only => :index, :secret => 'abc'
-
- def index
- render :inline => "<%= form_tag('/') {} %>"
- end
-
- def unsafe
- render :text => 'pwn'
- end
-
- def rescue_action(e) raise e end
-end
-
-class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
- def setup
- @controller = RequestForgeryProtectionController.new
- @request = ActionController::TestRequest.new
- @response = ActionController::TestResponse.new
- class << @request.session
- def session_id() '123' end
- end
- @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
- ActionController::Base.request_forgery_protection_token = :authenticity_token
- end
-
+module RequestForgeryProtectionTests
def teardown
ActionController::Base.request_forgery_protection_token = nil
end
-
+
def test_should_render_form_with_token_tag
get :index
assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
end
+
+ def test_should_render_button_to_with_token_tag
+ get :show_button
+ assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
+ end
- # Replace this with your real tests.
def test_should_allow_get
get :index
assert_response :success
@@ -105,14 +84,15 @@ def test_should_allow_delete_with_xml
end
end
-# no token is given, assume the cookie store is used
-class CsrfCookieMonsterController < ActionController::Base
- protect_from_forgery :only => :index
-
+module RequestForgeryProtectionActions
def index
render :inline => "<%= form_tag('/') {} %>"
end
+ def show_button
+ render :inline => "<%= button_to('New', '/') {} %>"
+ end
+
def unsafe
render :text => 'pwn'
end
@@ -120,6 +100,31 @@ def unsafe
def rescue_action(e) raise e end
end
+class RequestForgeryProtectionController < ActionController::Base
+ include RequestForgeryProtectionActions
+ protect_from_forgery :only => :index, :secret => 'abc'
+end
+
+class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
+ include RequestForgeryProtectionTests
+ def setup
+ @controller = RequestForgeryProtectionController.new
+ @request = ActionController::TestRequest.new
+ @response = ActionController::TestResponse.new
+ class << @request.session
+ def session_id() '123' end
+ end
+ @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+ ActionController::Base.request_forgery_protection_token = :authenticity_token
+ end
+end
+
+# no token is given, assume the cookie store is used
+class CsrfCookieMonsterController < ActionController::Base
+ include RequestForgeryProtectionActions
+ protect_from_forgery :only => :index
+end
+
class FakeSessionDbMan
def self.generate_digest(data)
Digest::SHA1.hexdigest("secure")
@@ -127,6 +132,7 @@ def self.generate_digest(data)
end
class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
+ include RequestForgeryProtectionTests
def setup
@controller = CsrfCookieMonsterController.new
@request = ActionController::TestRequest.new
@@ -139,79 +145,5 @@ class << @request.session
@token = Digest::SHA1.hexdigest("secure")
ActionController::Base.request_forgery_protection_token = :authenticity_token
end
-
- def teardown
- ActionController::Base.request_forgery_protection_token = nil
- end
-
- def test_should_render_form_with_token_tag
- get :index
- assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
- end
-
- # Replace this with your real tests.
- def test_should_allow_get
- get :index
- assert_response :success
- end
-
- def test_should_allow_post_without_token_on_unsafe_action
- post :unsafe
- assert_response :success
- end
-
- def test_should_not_allow_post_without_token
- assert_raises(ActionController::InvalidAuthenticityToken) { post :index }
- end
-
- def test_should_not_allow_put_without_token
- assert_raises(ActionController::InvalidAuthenticityToken) { put :index }
- end
-
- def test_should_not_allow_delete_without_token
- assert_raises(ActionController::InvalidAuthenticityToken) { delete :index }
- end
-
- def test_should_not_allow_xhr_post_without_token
- assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
- end
-
- def test_should_not_allow_xhr_put_without_token
- assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index }
- end
-
- def test_should_not_allow_xhr_delete_without_token
- assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index }
- end
-
- def test_should_allow_post_with_token
- post :index, :authenticity_token => @token
- assert_response :success
- end
-
- def test_should_allow_put_with_token
- put :index, :authenticity_token => @token
- assert_response :success
- end
-
- def test_should_allow_delete_with_token
- delete :index, :authenticity_token => @token
- assert_response :success
- end
-
- def test_should_allow_post_with_xml
- post :index, :format => 'xml'
- assert_response :success
- end
-
- def test_should_allow_put_with_xml
- put :index, :format => 'xml'
- assert_response :success
- end
-
- def test_should_allow_delete_with_xml
- delete :index, :format => 'xml'
- assert_response :success
- end
end
Please sign in to comment.
Something went wrong with that request. Please try again.