Send the CSRF token with Ajax requests (#7843).

Contributed by Etienne Massip.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@5134 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/views/layouts/base.rhtml b/app/views/layouts/base.rhtml
index fda4e2954c4b39a7ba06fc77612c6a23b273a30e..7e9e4e1ecb9c4880bf2d216f1bb09e24eac65d30 100644 (file)
--- a/app/views/layouts/base.rhtml
+++ b/app/views/layouts/base.rhtml
@@ -5,6 +5,7 @@
 <title><%=h html_title %></title>
 <meta name="description" content="<%= Redmine::Info.app_name %>" />
 <meta name="keywords" content="issue,bug,tracker" />
+<%= csrf_meta_tag %>
 <%= favicon %>
 <%= stylesheet_link_tag 'application', :media => 'all' %>
 <%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) == 'rtl' %>

diff --git a/public/javascripts/application.js b/public/javascripts/application.js
index a88856ea62fd149ba1977885f4835d0f46006a95..3996404bbd1b7b0b018444f0e5f36bd16f02bd0f 100644 (file)
--- a/public/javascripts/application.js
+++ b/public/javascripts/application.js
@@ -299,9 +299,27 @@ var WarnLeavingUnsaved = Class.create({
        }
 });
 
-/* shows and hides ajax indicator */
+/* 
+ * 1 - registers a callback which copies the csrf token into the
+ * X-CSRF-Token header with each ajax request.  Necessary to 
+ * work with rails applications which have fixed
+ * CVE-2011-0447
+ * 2 - shows and hides ajax indicator
+ */
 Ajax.Responders.register({
-    onCreate: function(){
+    onCreate: function(request){
+        var csrf_meta_tag = $$('meta[name=csrf-token]')[0];
+
+        if (csrf_meta_tag) {
+            var header = 'X-CSRF-Token',
+                token = csrf_meta_tag.readAttribute('content');
+
+            if (!request.options.requestHeaders) {
+              request.options.requestHeaders = {};
+            }
+            request.options.requestHeaders[header] = token;
+          }
+
         if ($('ajax-indicator') && Ajax.activeRequestCount > 0) {
             Element.show('ajax-indicator');
         }