Merge pull request #38211 from rails/do-not-reparse-path-info

Do not re-parse PATH_INFO when validating authenticity token

actionpack/lib/action_controller/metal/request_forgery_protection.rb

@@ -381,7 +381,7 @@ def valid_per_form_csrf_token?(token, session) # :doc:
         if per_form_csrf_tokens
           correct_token = per_form_csrf_token(
             session,
-            normalize_action_path(request.fullpath),
+            request.fullpath.chomp("/"),
             request.request_method
           )
 

actionpack/test/controller/request_forgery_protection_test.rb

@@ -835,6 +835,20 @@ def test_accepts_token_for_correct_path_and_method
     assert_response :success
   end
 
+  def test_rejects_garbage_path
+    get :index
+
+    form_token = assert_presence_and_fetch_form_csrf_token
+
+    assert_matches_session_token_on_server form_token
+
+    # Set invalid URI in PATH_INFO
+    @request.env["PATH_INFO"] = "/foo/bar<"
+    assert_raise ActionController::InvalidAuthenticityToken do
+      post :post_one, params: { custom_authenticity_token: form_token }
+    end
+  end
+
   def test_rejects_token_for_incorrect_path
     get :index
 
@@ -920,7 +934,7 @@ def test_accepts_global_csrf_token
     assert_response :success
   end
 
-  def test_ignores_params
+  def test_chomps_slashes
     get :index, params: { form_path: "/per_form_tokens/post_one?foo=bar" }
 
     form_token = assert_presence_and_fetch_form_csrf_token
@@ -928,7 +942,7 @@ def test_ignores_params
     assert_matches_session_token_on_server form_token
 
     # This is required because PATH_INFO isn't reset between requests.
-    @request.env["PATH_INFO"] = "/per_form_tokens/post_one?foo=baz"
+    @request.env["PATH_INFO"] = "/per_form_tokens/post_one/"
     assert_nothing_raised do
       post :post_one, params: { custom_authenticity_token: form_token, baz: "foo" }
     end