- 29 3月, 2020 1 次提交
-
-
由 Scott Blum 提交于
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes them difficult to deal with. For example, the common practice of sending the CSRF token to a browser in a client-readable cookie does not work properly out of the box: the value has to be url-encoded and decoded to survive transport. Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens for backwards compatibility.
-
- 24 1月, 2020 1 次提交
-
-
由 Bibek Shrestha 提交于
PR #38211 introduced a bug where URLs with query_params will fail to validate authenticity token. This PR changes changes fullpath to path to fix the bug. I've also added a test with query_params
-
- 11 1月, 2020 1 次提交
-
-
由 Aaron Patterson 提交于
PATH_INFO will never contain query parameters (that is the contract with the webserver), so there is no reason to call URI.parse on it. In addition, clients can send garbage paths that raise an exception when being parsed rather than just failing the auth token check.
-
- 07 10月, 2019 1 次提交
-
-
由 Jean Boussier 提交于
-
- 04 8月, 2019 1 次提交
-
-
由 Eugene Kenny 提交于
These calls to `content_type` were triggering the deprecation from c631e8d0 in upgraded applications. We can use `media_type` in all of these cases to avoid the deprecation.
-
- 13 6月, 2019 1 次提交
-
-
由 Ryuta Kamizono 提交于
We sometimes say "
✂ ️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
-
- 27 5月, 2018 1 次提交
-
-
由 Gabriel Jaldon 提交于
-
- 26 1月, 2018 1 次提交
-
-
由 Daniel Colson 提交于
-
- 04 11月, 2017 1 次提交
-
-
由 Jack McCracken 提交于
-
- 25 9月, 2017 1 次提交
-
-
由 Michael Coyne 提交于
Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions.
-
- 29 7月, 2017 1 次提交
-
-
由 Kir Shatrov 提交于
-
- 11 7月, 2017 1 次提交
-
-
由 Lisa Ugray 提交于
Since we now default to `protect_from_forgery with: :exception`, provide a wrapper to `skip_before_action :verify_authenticity_token` for disabling forgery protection.
-
- 02 7月, 2017 1 次提交
-
-
由 Matthew Draper 提交于
This reverts commit 3420a145, reversing changes made to afb66a5a.
-
- 01 7月, 2017 1 次提交
-
-
由 Kir Shatrov 提交于
-
- 16 4月, 2017 1 次提交
-
-
由 Kasper Timm Hansen 提交于
Effectively treat nil values as "auto", e.g. whatever a form helper chooses to interpret it as. But treat an explicitly assigned false value as disabling.
-
- 06 4月, 2017 1 次提交
-
-
由 Jon Leighton 提交于
I came up against this while dealing with a misconfigured server. The browser was setting the Origin header to "https://example.com", but the Rails app returned "http://example.com" from request.base_url (because it was failing to detect that HTTPS was used). This caused verify_authenticity_token to fail, but the message in the log was "Can't verify CSRF token", which is confusing because the failure had nothing to do with the CSRF token sent in the request. This made it very hard to identify the issue, so hopefully this will make it more obvious for the next person.
-
- 23 12月, 2016 1 次提交
-
-
由 Akira Matsuda 提交于
-
- 16 8月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository.
-
- 07 8月, 2016 5 次提交
-
-
由 Ryuta Kamizono 提交于
-
由 Xavier Noria 提交于
-
由 Xavier Noria 提交于
-
由 Xavier Noria 提交于
-
由 Xavier Noria 提交于
The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
-
- 17 7月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
-
- 24 5月, 2016 1 次提交
-
-
由 Matthew Caruana Galizia 提交于
CSRF verification for non-XHR GET requests (cross-origin `<script>` tags) didn't check this flag before logging failures. Setting `config.action_controller.log_warning_on_csrf_failure = false` now disables logging for these CSRF failures as well. Closes #25086. Signed-off-by: NJeremy Daer <jeremydaer@gmail.com>
-
- 20 4月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
When the token is generated by the form we were using the schema and host information while only using the path to compare if the action was the same. This was causing the token to be invalid. To fix this we use the same information to generate the token and check it. Fix #24257
-
- 23 2月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
When `button_to 'Botton', url` form was being used the per form token was not correct because the method that is was being used to generate it was an empty string.
-
- 22 2月, 2016 2 次提交
- 05 1月, 2016 1 次提交
-
-
由 Ben Toews 提交于
-
- 07 12月, 2015 1 次提交
-
-
由 eileencodes 提交于
Per this comment https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want `protect_from_forgery` to default to `prepend: false`. `protect_from_forgery` will now be insterted into the callback chain at the point it is called in your application. This is useful for cases where you want to `protect_from_forgery` after you perform required authentication callbacks or other callbacks that are required to run after forgery protection. If you want `protect_from_forgery` callbacks to always run first, regardless of position they are called in your application, then you can add `prepend: true` to your `protect_from_forgery` call. Example: ```ruby protect_from_forgery prepend: true ```
-
- 26 11月, 2015 1 次提交
-
-
由 Ben Toews 提交于
-
- 05 9月, 2015 1 次提交
-
-
由 Marcin Olichwirowicz 提交于
-
- 25 8月, 2015 1 次提交
-
-
由 Marcin Olichwirowicz 提交于
-
- 24 8月, 2015 1 次提交
-
-
由 Marcin Olichwirowicz 提交于
-
- 18 7月, 2015 1 次提交
-
-
由 Prem Sichanugrist 提交于
This will silence deprecation warnings. Most of the test can be changed from `render :text` to render `:plain` or `render :body` right away. However, there are some tests that needed to be fixed by hand as they actually assert the default Content-Type returned from `render :body`.
-
- 09 7月, 2015 1 次提交
-
-
由 Aaron Patterson 提交于
We should leverage the request / response objects that the superclass has already allocated for us.
-
- 28 5月, 2015 1 次提交
-
-
由 Mehmet Emin İNAÇ 提交于
`head` method works similar to `render` method with `:nothing` option
-
- 26 4月, 2015 1 次提交
-
-
由 Prathamesh Sonpatki 提交于
-
- 13 2月, 2015 1 次提交
-
-
由 Ville Lautanala 提交于
Non-string authenticity tokens raised NoMethodError when decoding the masked token.
-