Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2026-01-29 16:28:09 -05:00 · 2007-09-28 15:55:45 +00:00
parent b095ce63f2
commit 5edc81dcc2
12 changed files with 75 additions and 21 deletions
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*

+* Allow ability to disable request forgery protection, disable it in test mode by default.  Closes #9693 [lifofifo]
+
 * Avoid calling is_missing on LoadErrors. Closes #7460. [ntalbott]

 * Move Railties' Dispatcher to ActionController::Dispatcher, introduce before_ and after_dispatch callbacks, and warm up to non-CGI requests.  [Jeremy Kemper]
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -328,8 +328,11 @@ module ActionController #:nodoc:
    cattr_accessor :resource_action_separator
    
    # Sets the token parameter name for RequestForgery.  Calling #protect_from_forgery sets it to :authenticity_token by default
-    @@request_forgery_protection_token = nil
    cattr_accessor :request_forgery_protection_token
+    
+    # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
+    class_inheritable_accessor :allow_forgery_protection
+    self.allow_forgery_protection = true

    # Holds the request object that's primarily used to get environment variables through access like
    # <tt>request.env["REQUEST_URI"]</tt>.
--- a/actionpack/lib/action_controller/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/request_forgery_protection.rb
@@ -8,6 +8,7 @@ module ActionController #:nodoc:
        class_inheritable_accessor :request_forgery_protection_options
        self.request_forgery_protection_options = {}
        helper_method :form_authenticity_token
+        helper_method :protect_against_forgery?
      end
      base.extend(ClassMethods)
    end
@@ -48,6 +49,9 @@ module ActionController #:nodoc:
      #
      #     # uses one of the other session stores that uses a session_id value.
      #     protect_from_forgery :secret => 'my-little-pony', :except => :index
+      #
+      #     # you can disable csrf protection on controller-by-controller basis:
+      #     skip_before_filter :verify_authenticity_token
      #   end
      #
      # Valid Options:
@@ -75,9 +79,9 @@ module ActionController #:nodoc:
      # * is it a GET request?  Gets should be safe and idempotent
      # * Does the form_authenticity_token match the given _token value from the params?
      def verified_request?
-        request_forgery_protection_token.nil? ||
-          request.method == :get              ||
-          !verifiable_request_format?         ||
+        !protect_against_forgery?     ||
+          request.method == :get      ||
+          !verifiable_request_format? ||
          form_authenticity_token == params[request_forgery_protection_token]
      end
    
@@ -110,5 +114,9 @@ module ActionController #:nodoc:
        session[:csrf_id] ||= CGI::Session.generate_unique_id
        session.dbman.generate_digest(session[:csrf_id])
      end
+      
+      def protect_against_forgery?
+        allow_forgery_protection && request_forgery_protection_token
+      end
  end
 end
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -401,7 +401,7 @@ module ActionView
              ''
            when /^post$/i, "", nil
              html_options["method"] = "post"
-              request_forgery_protection_token ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : ''
+              protect_against_forgery? ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : ''
            else
              html_options["method"] = "post"
              content_tag(:div, tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag, :style => 'margin:0;padding:0')
@@ -421,7 +421,7 @@ module ActionView
        end

        def token_tag
-          if request_forgery_protection_token.nil?
+          unless protect_against_forgery?
            ''
          else
            tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
--- a/actionpack/lib/action_view/helpers/prototype_helper.rb
+++ b/actionpack/lib/action_view/helpers/prototype_helper.rb
@@ -739,7 +739,7 @@ module ActionView
          js_options['parameters'] = options[:with]
        end
        
-        if request_forgery_protection_token
+        if protect_against_forgery?
          if js_options['parameters']
            js_options['parameters'] << " + '&"
          else
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -203,7 +203,7 @@ module ActionView
        form_method = method.to_s == 'get' ? 'get' : 'post'
        
        request_token_tag = ''
-        if form_method == 'post' && request_forgery_protection_token
+        if form_method == 'post' && protect_against_forgery?
          request_token_tag = tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
        end
        
@@ -477,7 +477,7 @@ module ActionView
            submit_function << "m.setAttribute('name', '_method'); m.setAttribute('value', '#{method}'); f.appendChild(m);"
          end

-          if request_forgery_protection_token
+          if protect_against_forgery?
            submit_function << "var s = document.createElement('input'); s.setAttribute('type', 'hidden'); "
            submit_function << "s.setAttribute('name', '#{request_forgery_protection_token}'); s.setAttribute('value', '#{escape_javascript form_authenticity_token}'); f.appendChild(s);"
          end
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -125,6 +125,18 @@ class CsrfCookieMonsterController < ActionController::Base
  protect_from_forgery :only => :index
 end

+class FreeCookieController < CsrfCookieMonsterController
+  self.allow_forgery_protection = false
+  
+  def index
+    render :inline => "<%= form_tag('/') {} %>"
+  end
+  
+  def show_button
+    render :inline => "<%= button_to('New', '/') {} %>"
+  end  
+end
+
 class FakeSessionDbMan
  def self.generate_digest(data)
    Digest::SHA1.hexdigest("secure")
@@ -147,3 +159,29 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
  end
 end

+class FreeCookieControllerTest < Test::Unit::TestCase
+  
+  def setup
+    @controller = FreeCookieController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    @token      = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+  end
+  
+  def test_should_not_render_form_with_token_tag
+    get :index
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+  end
+  
+  def test_should_not_render_button_to_with_token_tag
+    get :show_button
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+  end
+  
+  def test_should_allow_all_methods_without_token
+    [:post, :put, :delete].each do |method|
+      assert_nothing_raised { send(method, :index)}
+    end
+  end
+  
+end
--- a/actionpack/test/template/form_helper_test.rb
+++ b/actionpack/test/template/form_helper_test.rb
@@ -711,8 +711,8 @@ class FormHelperTest < Test::Unit::TestCase
    def post_path(post)
      "/posts/#{post.id}"
    end
-    
-    def request_forgery_protection_token
-      nil
+
+    def protect_against_forgery?
+      false
    end
 end
--- a/actionpack/test/template/form_tag_helper_test.rb
+++ b/actionpack/test/template/form_tag_helper_test.rb
@@ -177,9 +177,8 @@ class FormTagHelperTest < Test::Unit::TestCase
    expected = %(<fieldset>Hello world!</fieldset>)
    assert_dom_equal expected, _erbout
  end
-  
-  def request_forgery_protection_token
-    nil
-    
+
+  def protect_against_forgery?
+    false
  end
 end
--- a/actionpack/test/template/prototype_helper_test.rb
+++ b/actionpack/test/template/prototype_helper_test.rb
@@ -65,6 +65,10 @@ protected
    nil
  end
  
+  def protect_against_forgery?
+    false
+  end
+  
  def create_generator
    block = Proc.new { |*args| yield *args if block_given? } 
    JavaScriptGenerator.new self, &block
--- a/actionpack/test/template/scriptaculous_helper_test.rb
+++ b/actionpack/test/template/scriptaculous_helper_test.rb
@@ -89,8 +89,8 @@ class ScriptaculousHelperTest < Test::Unit::TestCase
    assert_dom_equal %(<script type=\"text/javascript\">\n//<![CDATA[\nDroppables.add(\"droptarget1\", {accept:['tshirts','mugs'], onDrop:function(element){new Ajax.Updater('infobox', 'http://www.example.com/', {asynchronous:true, evalScripts:true, parameters:'id=' + encodeURIComponent(element.id)})}})\n//]]>\n</script>),
      drop_receiving_element("droptarget1", :accept => ['tshirts','mugs'], :update => 'infobox')
  end
-  
-  def request_forgery_protection_token
-    nil
+
+  def protect_against_forgery?
+    false
  end
 end
--- a/actionpack/test/template/url_helper_test.rb
+++ b/actionpack/test/template/url_helper_test.rb
@@ -268,8 +268,8 @@ class UrlHelperTest < Test::Unit::TestCase
    assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
  end
  
-  def request_forgery_protection_token
-    nil
+  def protect_against_forgery?
+    false
  end
 end