Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
e88e6cea
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
e88e6cea
编写于
12月 07, 2017
作者:
S
Sean Griffin
提交者:
GitHub
12月 07, 2017
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #30780 from JackMc/fix-chrome-referrer-invalidauthenticitytoken
Fix issue #30658 by checking explicitly for 'null' referrer
上级
e8286ee2
acdba1c6
变更
2
显示空白变更内容
内联
并排
Showing
2 changed file
with
23 addition
and
0 deletion
+23
-0
actionpack/lib/action_controller/metal/request_forgery_protection.rb
...lib/action_controller/metal/request_forgery_protection.rb
+10
-0
actionpack/test/controller/request_forgery_protection_test.rb
...onpack/test/controller/request_forgery_protection_test.rb
+13
-0
未找到文件。
actionpack/lib/action_controller/metal/request_forgery_protection.rb
浏览文件 @
e88e6cea
...
...
@@ -415,11 +415,21 @@ def protect_against_forgery? # :doc:
allow_forgery_protection
end
NULL_ORIGIN_MESSAGE
=
<<-
MSG
.
strip_heredoc
The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
means you have the 'no-referrer' Referrer-Policy header enabled, or that you the request came from a site that
refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin.
If you cannot change the referrer policy, you can disable origin checking with the
Rails.application.config.action_controller.forgery_protection_origin_check setting.
MSG
# Checks if the request originated from the same origin by looking at the
# Origin header.
def
valid_request_origin?
# :doc:
if
forgery_protection_origin_check
# We accept blank origin headers because some user agents don't send it.
raise
InvalidAuthenticityToken
,
NULL_ORIGIN_MESSAGE
if
request
.
origin
==
"null"
request
.
origin
.
nil?
||
request
.
origin
==
request
.
base_url
else
true
...
...
actionpack/test/controller/request_forgery_protection_test.rb
浏览文件 @
e88e6cea
...
...
@@ -446,6 +446,19 @@ def test_should_allow_post_with_origin_checking_and_no_origin
end
end
def
test_should_raise_for_post_with_null_origin
forgery_protection_origin_check
do
session
[
:_csrf_token
]
=
@token
@controller
.
stub
:form_authenticity_token
,
@token
do
exception
=
assert_raises
(
ActionController
::
InvalidAuthenticityToken
)
do
@request
.
set_header
"HTTP_ORIGIN"
,
"null"
post
:index
,
params:
{
custom_authenticity_token:
@token
}
end
assert_match
"The browser returned a 'null' origin for a request"
,
exception
.
message
end
end
end
def
test_should_block_post_with_origin_checking_and_wrong_origin
old_logger
=
ActionController
::
Base
.
logger
logger
=
ActiveSupport
::
LogSubscriber
::
TestHelper
::
MockLogger
.
new
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录