- 24 5月, 2016 1 次提交
-
-
由 Matthew Caruana Galizia 提交于
CSRF verification for non-XHR GET requests (cross-origin `<script>` tags) didn't check this flag before logging failures. Setting `config.action_controller.log_warning_on_csrf_failure = false` now disables logging for these CSRF failures as well. Closes #25086. Signed-off-by: NJeremy Daer <jeremydaer@gmail.com>
-
- 20 4月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
When the token is generated by the form we were using the schema and host information while only using the path to compare if the action was the same. This was causing the token to be invalid. To fix this we use the same information to generate the token and check it. Fix #24257
-
- 23 2月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
When `button_to 'Botton', url` form was being used the per form token was not correct because the method that is was being used to generate it was an empty string.
-
- 22 2月, 2016 2 次提交
- 05 1月, 2016 1 次提交
-
-
由 Ben Toews 提交于
-
- 07 12月, 2015 1 次提交
-
-
由 eileencodes 提交于
Per this comment https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want `protect_from_forgery` to default to `prepend: false`. `protect_from_forgery` will now be insterted into the callback chain at the point it is called in your application. This is useful for cases where you want to `protect_from_forgery` after you perform required authentication callbacks or other callbacks that are required to run after forgery protection. If you want `protect_from_forgery` callbacks to always run first, regardless of position they are called in your application, then you can add `prepend: true` to your `protect_from_forgery` call. Example: ```ruby protect_from_forgery prepend: true ```
-
- 26 11月, 2015 1 次提交
-
-
由 Ben Toews 提交于
-
- 05 9月, 2015 1 次提交
-
-
由 Marcin Olichwirowicz 提交于
-
- 25 8月, 2015 1 次提交
-
-
由 Marcin Olichwirowicz 提交于
-
- 24 8月, 2015 1 次提交
-
-
由 Marcin Olichwirowicz 提交于
-
- 18 7月, 2015 1 次提交
-
-
由 Prem Sichanugrist 提交于
This will silence deprecation warnings. Most of the test can be changed from `render :text` to render `:plain` or `render :body` right away. However, there are some tests that needed to be fixed by hand as they actually assert the default Content-Type returned from `render :body`.
-
- 09 7月, 2015 1 次提交
-
-
由 Aaron Patterson 提交于
We should leverage the request / response objects that the superclass has already allocated for us.
-
- 28 5月, 2015 1 次提交
-
-
由 Mehmet Emin İNAÇ 提交于
`head` method works similar to `render` method with `:nothing` option
-
- 26 4月, 2015 1 次提交
-
-
由 Prathamesh Sonpatki 提交于
-
- 13 2月, 2015 1 次提交
-
-
由 Ville Lautanala 提交于
Non-string authenticity tokens raised NoMethodError when decoding the masked token.
-
- 01 2月, 2015 1 次提交
-
-
由 Kir Shatrov 提交于
in `ActionController::TestCase` and `ActionDispatch::Integration` Old syntax: `xhr :get, :create, params: { id: 1 }` New syntax example: `get :create, params: { id: 1 }, xhr: true`
-
- 29 1月, 2015 1 次提交
-
-
由 Kir Shatrov 提交于
Non-kwargs requests are deprecated now. Guides are updated as well. `post url, nil, nil, { a: 'b' }` doesn't make sense. `post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
-
- 09 1月, 2015 1 次提交
-
-
由 Josef Šimánek 提交于
-
- 20 8月, 2014 1 次提交
-
-
由 Bradley Buda 提交于
This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
-
- 17 6月, 2014 2 次提交
- 16 6月, 2014 1 次提交
-
-
由 Timm 提交于
Fixed a Nokogiri::CSS::SyntaxError by using its expected format for unicode characters.
-
- 28 5月, 2014 1 次提交
-
-
由 Zuhao Wan 提交于
-
- 06 5月, 2014 1 次提交
-
-
由 Tom Kadwill 提交于
-
- 18 4月, 2014 2 次提交
-
-
由 Rafael Mendonça França 提交于
Related with cbb91745
-
由 Rafael Mendonça França 提交于
This was changed at cbb91745
-
- 05 3月, 2014 1 次提交
-
-
由 John Barton (joho) 提交于
Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default.
-
- 18 12月, 2013 2 次提交
-
-
由 Jeremy Kemper 提交于
-
由 Jeremy Kemper 提交于
Thanks to @homakov for sounding the alarm about JSONP-style data leaking
-
- 19 9月, 2013 1 次提交
-
-
由 Jonathan Baudanza 提交于
Previously it was raising a NilException
-
- 09 2月, 2013 1 次提交
-
-
由 Andrey Chernih 提交于
-
- 23 1月, 2013 1 次提交
-
-
由 Michiel Sikkes 提交于
-
- 06 1月, 2013 1 次提交
-
-
由 Yves Senn 提交于
They don't add any benefits over `assert object.blank?` and `assert object.present?`
-
- 13 9月, 2012 1 次提交
-
-
由 Sergey Nartimov 提交于
It's further work on CSRF after 24594110. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does).
-
- 31 5月, 2012 1 次提交
-
-
由 Sergey Nartimov 提交于
-
- 29 3月, 2012 3 次提交
-
-
由 Piotr Sarnacki 提交于
If embedding auth_token in remote forms is off and we pass a value for auth_token it should respect it.
-
由 Piotr Sarnacki 提交于
Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms` to `false`. This change breaks remote forms that need to work also without javascript, so if you need such behavior, you can either set it to `true` or explicitly pass `:authenticity_token => true` in form options
-
由 Piotr Sarnacki 提交于
There is a regression introduced in 16ee611f, which breaks remote forms that should also work without javascript. This commit introduces config option that allows to configure this behavior defaulting to the old behavior (ie. include authenticity token in remote forms by default) Conflicts: actionpack/CHANGELOG.md
-
- 16 3月, 2012 1 次提交
-
-
由 Sandeep 提交于
-