Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Change from InvalidToken to InvalidAuthenticityToken to be more specific

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7623 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit bdf5672077f095dda577b10185e395f865aac3f6 1 parent e70bb80
@dhh dhh authored
View
19 actionpack/lib/action_controller/request_forgery_protection.rb
@@ -1,5 +1,6 @@
module ActionController #:nodoc:
- class InvalidToken < ActionControllerError; end
+ class InvalidAuthenticityToken < ActionControllerError #:nodoc:
+ end
module RequestForgeryProtection
def self.included(base)
@@ -18,23 +19,27 @@ module ClassMethods
# HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you'll have a different authentication
# scheme there anyway). Also, GET requests are not protected as these should be indempotent anyway.
#
- # You turn this on with the #protect_from_forgery method, which will perform the check and raise an ActionController::InvalidToken if
- # the token doesn't match what was expected. And it will add a _token parameter to all forms that are automatically generated
- # by Rails. You can customize the error message given through public/422.html.
+ # You turn this on with the #protect_from_forgery method, which will perform the check and raise
+ # an ActionController::InvalidAuthenticityToken if the token doesn't match what was expected. And it will add
+ # a _authenticity_token parameter to all forms that are automatically generated by Rails. You can customize the error message
+ # given through public/422.html.
#
# Learn more about CSRF (Cross-Site Request Forgery) attacks:
#
# * http://isc.sans.org/diary.html?storyid=1750
# * http://en.wikipedia.org/wiki/Cross-site_request_forgery
#
- # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application. There are a few guidelines you
- # should follow:
+ # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
+ # There are a few guidelines you should follow:
#
# * Keep your GET requests safe and idempotent. More reading material:
# * http://www.xml.com/pub/a/2002/04/24/deviant.html
# * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
# * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look for "Expires: at end of session"
#
+ # If you need to construct a request yourself, but still want to take advantage of forgery protection, you can grab the
+ # authenticity_token using the form_authenticity_token helper method and make it part of the parameters yourself.
+ #
# Example:
#
# class FooController < ApplicationController
@@ -61,7 +66,7 @@ def protect_from_forgery(options = {})
protected
# The actual before_filter that is used. Modify this to change how you handle unverified requests.
def verify_authenticity_token
- verified_request? || raise(ActionController::InvalidToken)
+ verified_request? || raise(ActionController::InvalidAuthenticityToken)
end
# Returns true or false if a request is verified. Checks:
View
18 actionpack/lib/action_controller/rescue.rb
@@ -13,15 +13,15 @@ module Rescue
DEFAULT_RESCUE_RESPONSE = :internal_server_error
DEFAULT_RESCUE_RESPONSES = {
- 'ActionController::RoutingError' => :not_found,
- 'ActionController::UnknownAction' => :not_found,
- 'ActiveRecord::RecordNotFound' => :not_found,
- 'ActiveRecord::StaleObjectError' => :conflict,
- 'ActiveRecord::RecordInvalid' => :unprocessable_entity,
- 'ActiveRecord::RecordNotSaved' => :unprocessable_entity,
- 'ActionController::MethodNotAllowed' => :method_not_allowed,
- 'ActionController::NotImplemented' => :not_implemented,
- 'ActionController::InvalidToken' => :unprocessable_entity
+ 'ActionController::RoutingError' => :not_found,
+ 'ActionController::UnknownAction' => :not_found,
+ 'ActiveRecord::RecordNotFound' => :not_found,
+ 'ActiveRecord::StaleObjectError' => :conflict,
+ 'ActiveRecord::RecordInvalid' => :unprocessable_entity,
+ 'ActiveRecord::RecordNotSaved' => :unprocessable_entity,
+ 'ActionController::MethodNotAllowed' => :method_not_allowed,
+ 'ActionController::NotImplemented' => :not_implemented,
+ 'ActionController::InvalidAuthenticityToken' => :unprocessable_entity
}
DEFAULT_RESCUE_TEMPLATE = 'diagnostics'
View
24 actionpack/test/controller/request_forgery_protection_test.rb
@@ -51,27 +51,27 @@ def test_should_allow_post_without_token_on_unsafe_action
end
def test_should_not_allow_post_without_token
- assert_raises(ActionController::InvalidToken) { post :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { post :index }
end
def test_should_not_allow_put_without_token
- assert_raises(ActionController::InvalidToken) { put :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { put :index }
end
def test_should_not_allow_delete_without_token
- assert_raises(ActionController::InvalidToken) { delete :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { delete :index }
end
def test_should_not_allow_xhr_post_without_token
- assert_raises(ActionController::InvalidToken) { xhr :post, :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
end
def test_should_not_allow_xhr_put_without_token
- assert_raises(ActionController::InvalidToken) { xhr :put, :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index }
end
def test_should_not_allow_xhr_delete_without_token
- assert_raises(ActionController::InvalidToken) { xhr :delete, :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index }
end
def test_should_allow_post_with_token
@@ -161,27 +161,27 @@ def test_should_allow_post_without_token_on_unsafe_action
end
def test_should_not_allow_post_without_token
- assert_raises(ActionController::InvalidToken) { post :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { post :index }
end
def test_should_not_allow_put_without_token
- assert_raises(ActionController::InvalidToken) { put :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { put :index }
end
def test_should_not_allow_delete_without_token
- assert_raises(ActionController::InvalidToken) { delete :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { delete :index }
end
def test_should_not_allow_xhr_post_without_token
- assert_raises(ActionController::InvalidToken) { xhr :post, :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
end
def test_should_not_allow_xhr_put_without_token
- assert_raises(ActionController::InvalidToken) { xhr :put, :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index }
end
def test_should_not_allow_xhr_delete_without_token
- assert_raises(ActionController::InvalidToken) { xhr :delete, :index }
+ assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index }
end
def test_should_allow_post_with_token
View
2  railties/CHANGELOG
@@ -1,6 +1,6 @@
*SVN*
-* Added a default 422.html page to be rendered when ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved, or ActionController::InvalidToken is raised [DHH]
+* Added a default 422.html page to be rendered when ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved, or ActionController::InvalidAuthenticityToken is raised [DHH]
* Added --skip-fixture option to script/generate model #6862 [sandofsky]
Please sign in to comment.
Something went wrong with that request. Please try again.