Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make CSRF failure logging optional/configurable. #14280

Merged
merged 1 commit into from
Mar 8, 2014
Merged

Make CSRF failure logging optional/configurable. #14280

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions actionpack/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,10 @@
`default_url_options` methods.

*Tony Wooster*
* Make logging of CSRF failures optional (but on by default) with the
`log_warning_on_csrf_failure` configuration setting in
ActionController::RequestForgeryProtection

*John Barton*

Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
8 changes: 7 additions & 1 deletion actionpack/lib/action_controller/metal/request_forgery_protection.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,10 @@ module RequestForgeryProtection
config_accessor :allow_forgery_protection
self.allow_forgery_protection = true if allow_forgery_protection.nil?

# Controls whether a CSRF failure logs a warning. On by default.
config_accessor :log_warning_on_csrf_failure
self.log_warning_on_csrf_failure = true

helper_method :form_authenticity_token
helper_method :protect_against_forgery?
end
Expand Down Expand Up @@ -193,7 +197,9 @@ def verify_authenticity_token
mark_for_same_origin_verification!

if !verified_request?
logger.warn "Can't verify CSRF token authenticity" if logger
if logger && log_warning_on_csrf_failure
logger.warn "Can't verify CSRF token authenticity"
end
handle_unverified_request
end
end
Expand Down
16 changes: 16 additions & 0 deletions actionpack/test/controller/request_forgery_protection_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,22 @@ def test_should_warn_on_missing_csrf_token
end
end

def test_should_not_warn_if_csrf_logging_disabled
old_logger = ActionController::Base.logger
logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
ActionController::Base.logger = logger
ActionController::Base.log_warning_on_csrf_failure = false

begin
assert_blocked { post :index }

assert_equal 0, logger.logged(:warn).size
ensure
ActionController::Base.logger = old_logger
ActionController::Base.log_warning_on_csrf_failure = true
end
end

def test_should_only_allow_same_origin_js_get_with_xhr_header
assert_cross_origin_blocked { get :same_origin_js }
assert_cross_origin_blocked { get :same_origin_js, format: 'js' }
Expand Down