Set default protect from forgery true (#36317).

Patch by Takashi Kato.

git-svn-id: http://svn.redmine.org/redmine/trunk@21379 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2dc99a01fe96a56bdd26415d536a7e05c95bb7d3..8878026f31c05cdcaedcc18ce70adc0b9b99a3a5 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -38,8 +38,6 @@ class ApplicationController < ActionController::Base
 
   layout 'base'
 
-  protect_from_forgery
-
   def verify_authenticity_token
     unless api_request?
       super
@@ -48,11 +46,16 @@ class ApplicationController < ActionController::Base
 
   def handle_unverified_request
     unless api_request?
-      super
-      cookies.delete(autologin_cookie_name)
-      self.logged_user = nil
-      set_localization
-      render_error :status => 422, :message => l(:error_invalid_authenticity_token)
+      begin
+        super
+      rescue ActionController::InvalidAuthenticityToken => e
+        logger.error("ActionController::InvalidAuthenticityToken: #{e.message}") if logger
+      ensure
+        cookies.delete(autologin_cookie_name)
+        self.logged_user = nil
+        set_localization
+        render_error :status => 422, :message => l(:error_invalid_authenticity_token)
+      end
     end
   end
 

diff --git a/config/application.rb b/config/application.rb
index 902007d03c163cb1ecc5ec2f779d77c193816230..bba468f383ce1373914b1f18c6dfdfb47c565745 100644 (file)
--- a/config/application.rb
+++ b/config/application.rb
@@ -58,6 +58,9 @@ module RedmineApp
     # Do not include all helpers
     config.action_controller.include_all_helpers = false
 
+    # Add forgery protection
+    config.action_controller.default_protect_from_forgery = true
+
     # Sets the Content-Length header on responses with fixed-length bodies
     config.middleware.insert_before Rack::Sendfile, Rack::ContentLength