This project is archived and is in readonly mode.

#6743 ✓invalid
mrbrdo

CSRF not working Rails 3.0.7

Reported by mrbrdo | April 25th, 2011 @ 03:16 PM

Example project: https://github.com/mrbrdo/csrf-test (its just rails new csrf_test, rails g scaffold post title:string)
CSRF is enabled in application controller.

Run (while rails server is running): curl -d "post[title]=hacked" http://localhost:3000/posts

It works (post is created), even though there is no CSRF token sent. Maybe I did something wrong here, but if not, this is a very serious bug.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Pages