Protect button_to behind protect_from_forgery (closes #9675) [lifo]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2026-01-29 16:28:09 -05:00 · 2007-09-25 16:50:35 +00:00
parent 106b236824
commit 82c1fed89f
2 changed files with 45 additions and 108 deletions
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -201,7 +201,12 @@ module ActionView
        end

        form_method = method.to_s == 'get' ? 'get' : 'post'
-
+        
+        request_token_tag = ''
+        if form_method == 'post' && request_forgery_protection_token
+          request_token_tag = tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
+        end
+        
        if confirm = html_options.delete("confirm")
          html_options["onclick"] = "return #{confirm_javascript_function(confirm)};"
        end
@@ -212,7 +217,7 @@ module ActionView
        html_options.merge!("type" => "submit", "value" => name)

        "<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" +
-          method_tag + tag("input", html_options) + "</div></form>"
+          method_tag + tag("input", html_options) + request_token_tag + "</div></form>"
      end


--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -4,42 +4,21 @@ ActionController::Routing::Routes.draw do |map|
  map.connect ':controller/:action/:id'
 end

-class RequestForgeryProtectionController < ActionController::Base
-  protect_from_forgery :only => :index, :secret => 'abc'
-
-  def index
-    render :inline => "<%= form_tag('/') {} %>"
-  end
-  
-  def unsafe
-    render :text => 'pwn'
-  end
-  
-  def rescue_action(e) raise e end
-end
-
-class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
-  def setup
-    @controller = RequestForgeryProtectionController.new
-    @request    = ActionController::TestRequest.new
-    @response   = ActionController::TestResponse.new
-    class << @request.session
-      def session_id() '123' end
-    end
-    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
-    ActionController::Base.request_forgery_protection_token = :authenticity_token
-  end
-  
+module RequestForgeryProtectionTests
  def teardown
    ActionController::Base.request_forgery_protection_token = nil
  end
-
+  
  def test_should_render_form_with_token_tag
    get :index
    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
  end
+  
+  def test_should_render_button_to_with_token_tag
+    get :show_button
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
+  end

-  # Replace this with your real tests.
  def test_should_allow_get
    get :index
    assert_response :success
@@ -105,14 +84,15 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
  end
 end

-# no token is given, assume the cookie store is used
-class CsrfCookieMonsterController < ActionController::Base
-  protect_from_forgery :only => :index
-
+module RequestForgeryProtectionActions
  def index
    render :inline => "<%= form_tag('/') {} %>"
  end
  
+  def show_button
+    render :inline => "<%= button_to('New', '/') {} %>"
+  end
+  
  def unsafe
    render :text => 'pwn'
  end
@@ -120,6 +100,31 @@ class CsrfCookieMonsterController < ActionController::Base
  def rescue_action(e) raise e end
 end

+class RequestForgeryProtectionController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => :index, :secret => 'abc'
+end
+
+class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
+  include RequestForgeryProtectionTests
+  def setup
+    @controller = RequestForgeryProtectionController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    class << @request.session
+      def session_id() '123' end
+    end
+    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+    ActionController::Base.request_forgery_protection_token = :authenticity_token
+  end
+end
+
+# no token is given, assume the cookie store is used
+class CsrfCookieMonsterController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => :index
+end
+
 class FakeSessionDbMan
  def self.generate_digest(data)
    Digest::SHA1.hexdigest("secure")
@@ -127,6 +132,7 @@ class FakeSessionDbMan
 end

 class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
+  include RequestForgeryProtectionTests
  def setup
    @controller = CsrfCookieMonsterController.new
    @request    = ActionController::TestRequest.new
@@ -139,79 +145,5 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
    @token = Digest::SHA1.hexdigest("secure")
    ActionController::Base.request_forgery_protection_token = :authenticity_token
  end
-  
-  def teardown
-    ActionController::Base.request_forgery_protection_token = nil
-  end
-
-  def test_should_render_form_with_token_tag
-    get :index
-    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
-  end
-
-  # Replace this with your real tests.
-  def test_should_allow_get
-    get :index
-    assert_response :success
-  end
-  
-  def test_should_allow_post_without_token_on_unsafe_action
-    post :unsafe
-    assert_response :success
-  end
-  
-  def test_should_not_allow_post_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { post :index }
-  end
-  
-  def test_should_not_allow_put_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { put :index }
-  end
-  
-  def test_should_not_allow_delete_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { delete :index }
-  end
-  
-  def test_should_not_allow_xhr_post_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
-  end
-  
-  def test_should_not_allow_xhr_put_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index }
-  end
-  
-  def test_should_not_allow_xhr_delete_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index }
-  end
-  
-  def test_should_allow_post_with_token
-    post :index, :authenticity_token => @token
-    assert_response :success
-  end
-  
-  def test_should_allow_put_with_token
-    put :index, :authenticity_token => @token
-    assert_response :success
-  end
-  
-  def test_should_allow_delete_with_token
-    delete :index, :authenticity_token => @token
-    assert_response :success
-  end
-  
-  def test_should_allow_post_with_xml
-    post :index, :format => 'xml'
-    assert_response :success
-  end
-  
-  def test_should_allow_put_with_xml
-    put :index, :format => 'xml'
-    assert_response :success
-  end
-  
-  def test_should_allow_delete_with_xml
-    delete :index, :format => 'xml'
-    assert_response :success
-  end
 end