This project is archived and is in readonly mode.
Changeset [7e86f9b4d2b7dfa974c10ae7e6d8ef90f3d77f06] by Michael Koziarski
February 8th, 2011 @ 08:20 PM
Change the CSRF whitelisting to only apply to get requests
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
X-CSRF-Token: ...
This fixes CVE-2011-0447
https://github.com/rails/rails/commit/7e86f9b4d2b7dfa974c10ae7e6d8e...
Committed by Michael Koziarski
- A actionpack/lib/action_view/helpers/csrf_helper.rb
- M actionpack/lib/action_controller/request_forgery_protection.rb
- M actionpack/lib/action_view/helpers.rb
- M actionpack/test/controller/request_forgery_protection_test.rb
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>