From ea0bc56a65102db1c6ad9a0c6942932d73fe9216 Mon Sep 17 00:00:00 2001 From: Eric Davis Date: Sat, 14 Nov 2009 19:41:07 +0000 Subject: [PATCH] Protect controllers from potential CSRF attacks. #4216 git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3051 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/application_controller.rb | 1 + config/environments/test.rb | 3 +++ config/environments/test_pgsql.rb | 3 +++ config/environments/test_sqlite3.rb | 3 +++ 4 files changed, 10 insertions(+) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 53259554..2bcfac95 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -25,6 +25,7 @@ class ApplicationController < ActionController::Base before_filter :user_setup, :check_if_login_required, :set_localization filter_parameter_logging :password + protect_from_forgery include Redmine::Search::Controller include Redmine::MenuManager::MenuController diff --git a/config/environments/test.rb b/config/environments/test.rb index 388d2022..0d1b42e5 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -21,6 +21,9 @@ config.action_controller.session = { :secret => "some secret phrase for the tests." } +# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application +config.action_controller.allow_forgery_protection = false + config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com" config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com" config.gem "mocha" diff --git a/config/environments/test_pgsql.rb b/config/environments/test_pgsql.rb index 388d2022..0d1b42e5 100644 --- a/config/environments/test_pgsql.rb +++ b/config/environments/test_pgsql.rb @@ -21,6 +21,9 @@ config.action_controller.session = { :secret => "some secret phrase for the tests." } +# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application +config.action_controller.allow_forgery_protection = false + config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com" config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com" config.gem "mocha" diff --git a/config/environments/test_sqlite3.rb b/config/environments/test_sqlite3.rb index 388d2022..0d1b42e5 100644 --- a/config/environments/test_sqlite3.rb +++ b/config/environments/test_sqlite3.rb @@ -21,6 +21,9 @@ config.action_controller.session = { :secret => "some secret phrase for the tests." } +# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application +config.action_controller.allow_forgery_protection = false + config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com" config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com" config.gem "mocha"