Merge pull request #38295 from bibstha/add_test_verify_token

Use path instead of fullpath on validating authenticity token

actionpack/lib/action_controller/metal/request_forgery_protection.rb

@@ -381,7 +381,7 @@ def valid_per_form_csrf_token?(token, session) # :doc:
         if per_form_csrf_tokens
           correct_token = per_form_csrf_token(
             session,
-            request.fullpath.chomp("/"),
+            request.path.chomp("/"),
             request.request_method
           )
 

actionpack/test/controller/request_forgery_protection_test.rb

@@ -835,6 +835,18 @@ def test_accepts_token_for_correct_path_and_method
     assert_response :success
   end
 
+  def test_accepts_token_with_path_with_query_params
+    get :index
+    form_token = assert_presence_and_fetch_form_csrf_token
+    assert_matches_session_token_on_server form_token
+
+    @request.env["PATH_INFO"] = "/per_form_tokens/post_one"
+    @request.env["QUERY_STRING"] = "key=value"
+    assert_nothing_raised do
+      post :post_one, params: { custom_authenticity_token: form_token }
+    end
+  end
+
   def test_rejects_garbage_path
     get :index