#139 [PATCH] Bug: Earlier Check for Session in Forgery Protection - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
Combine keywords for powerful searching.
Use advanced searching »

#139 √ resolved

[PATCH] Bug: Earlier Check for Session in Forgery Protection

Reported by Peter Jones | May 7th, 2008 @ 05:07 PM

The session is used by the form_authenticity_token method before it is

tested to be valid. This patch moves a few lines around so that the

session is validated first.

Without this patch, if you try to use forgery protection with sessions

turned off, you get this exception message:

undefined method `session_id' for {}:Hash

The patch includes a test that can be used to see this behavior before

the request_forgery_protection.rb file is patched to fix it.

session-check.diff 3.8 KB

Comments and changes to this ticket

Jim James May 8th, 2008 @ 09:56 AM
+1
Jim.
Rafael Cardoso May 9th, 2008 @ 04:00 PM
+1
Fernand Galiana May 8th, 2008 @ 10:06 AM
+1
_ugly May 8th, 2008 @ 10:42 AM
+1
Alistair May 8th, 2008 @ 11:02 AM
+1
Andrew Zielinski May 8th, 2008 @ 06:06 PM
+1
Repository May 11th, 2008 @ 01:29 PM
(from [0dabb5b7ab3fad23da91a2312f7b586855d52f4a]) Fixed that forgery protection can be used without session tracking (Peter Jones) [#139 state:resolved]
http://github.com/rails/rails/co...

Please Login or create a free account to add a new comment.

You can update this ticket by sending an email to from your email client. (help)

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Source available from github

The Git repository resides at http://github.com/rails

Check out the current development trunk (Edge Rails) with:

git clone git://github.com/rails/rails.git

The latest development for the 1.2.x and 2.0.x releases are on the 1-2-stable and 2-0-stable branches.

Creating a bug report

When creating a bug report, be sure to include as much relevant information as possible. Post the code sample that causes the problem. Preferably, alter the unit tests and show through either changed or added tests how the expected behavior is not occuring.

Security vulnerabilities should be reported via an email to security@rubyonrails.org, do not use trac for reporting security vulnerabilities. All content in trac is publicly available as soon as it is posted.

Then don't get your hopes up. Unless you have a "Code Red, Mission Critical, The World is Coming to an End" kinda bug, you're creating this ticket in the hope that others with the same problem will be able to collaborate with you on solving it. Do not expect that the ticket automatically will see any activity or that others will jump to fix it. Creating a ticket like this is mostly to help yourself start on the path of fixing the problem and for others to sign on to with a "I'm having this problem too".

Shared Ticket Bins (Sort)

120Open Patches ↓↑ drag
0Open Doc Patches ↓↑ drag
0Open Bugs ↓↑ drag
4Stale Tickets ↓↑ drag
0Verified Patches ↓↑ drag

People watching this ticket

Attachments

session-check.diff 3.8 KB

Keyword searching