提交 · 0c407891fb209a4f94f09681db28e40a8b754198 · 张重言 / rails

23 11月, 2008 1 次提交
- M
  Change the forgery token implementation to just be a simple random string. · 9fdb15e6
  由 Michael Koziarski 提交于 11月 20, 2008
```
This deprecates the use of :secret and :digest which were only needed when we were hashing session ids.
```
  9fdb15e6
13 11月, 2008 1 次提交
- J
  Changed request forgery protection to only worry about HTML-formatted content requests. · fbbcd6f2
  由 Jeff Cohen 提交于 10月 31, 2008
```
Signed-off-by: NMichael Koziarski <michael@koziarski.com>
```
  fbbcd6f2
08 11月, 2008 1 次提交
- J
  
  Move controller assertions from base TestCase to AC:: and AV::TestCase · c82e8e1f
  由 Jeremy Kemper 提交于 11月 07, 2008
  
  c82e8e1f
12 5月, 2008 1 次提交

Bug: Earlier Check for Session in Forgery Protection · 2a986200

由 Peter Jones 提交于 5月 07, 2008

The session is used by the form_authenticity_token method before it is
tested to be valid.  This patch moves a few lines around so that the
session is validated first.

Without this patch, if you try to use forgery protection with sessions
turned off, you get this exception message:

  undefined method `session_id' for {}:Hash

The patch includes a test that can be used to see this behavior before
the request_forgery_protection.rb file is patched to fix it.

2a986200

06 5月, 2008 2 次提交
- R
  
  change ActionController::RequestForgeryProtection to use Mime::Type#verify_request? [#73] · c8451aee
  由 rick 提交于 5月 06, 2008
  
  c8451aee
- R
  Change the request forgery protection to go by Content-Type instead of... · 0697d17d
  由 rick 提交于 5月 06, 2008
```
Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved]
```
  0697d17d
09 1月, 2008 1 次提交

Don't append the forgery token to an ajax request if it's serializing a form,... · 5ef8a81b

由 Michael Koziarski 提交于 1月 08, 2008

Don't append the forgery token to an ajax request if it's serializing a form, prevents duplicate tokens. Closes #10684 [macournoyer]


git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

5ef8a81b

05 1月, 2008 1 次提交
- J
  require abstract_unit directly since test is in load path · 9d755f19
  由 Jeremy Kemper 提交于 1月 05, 2008
```
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
```
  9d755f19
02 10月, 2007 1 次提交

Ruby 1.9 compat, consistent load paths · 0ee1cb2c

由 Jeremy Kemper 提交于 10月 02, 2007

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

0ee1cb2c

29 9月, 2007 2 次提交

Better error messages if you leave out the :secret option for request forgery... · 82ff2776

由 Rick Olson 提交于 9月 28, 2007

Better error messages if you leave out the :secret option for request forgery protection.  Closes #9670 [rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

82ff2776

Add missing require · c1bdf027

由 Michael Koziarski 提交于 9月 28, 2007


git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

c1bdf027

28 9月, 2007 1 次提交

Allow ability to disable request forgery protection, disable it in test mode... · 5edc81dc

由 Rick Olson 提交于 9月 28, 2007

Allow ability to disable request forgery protection, disable it in test mode by default.  Closes #9693 [lifofifo]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

5edc81dc

26 9月, 2007 1 次提交
- D
  Protect button_to behind protect_from_forgery (closes #9675) [lifo] · 82c1fed8
  由 David Heinemeier Hansson 提交于 9月 25, 2007
```
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
```
  82c1fed8
25 9月, 2007 1 次提交
- D
  Change from InvalidToken to InvalidAuthenticityToken to be more specific · bdf56720
  由 David Heinemeier Hansson 提交于 9月 24, 2007
```
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7623 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
```
  bdf56720
24 9月, 2007 1 次提交

Rename some RequestForgeryProtection methods. The class method is now... · c6190038

由 Rick Olson 提交于 9月 23, 2007

Rename some RequestForgeryProtection methods.  The class method is now #protect_from_forgery, and the default parameter is now 'authenticity_token'.  [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7596 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

c6190038

23 9月, 2007 1 次提交

Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that... · 4e3ed5bc

由 Rick Olson 提交于 9月 23, 2007

Merge csrf_killer plugin into rails.  Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests.  [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

4e3ed5bc