From 36dbb3906b322b385575ff5d71768a092d4688cf Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Mon, 14 Mar 2011 21:31:02 +0000 Subject: [PATCH] Send the CSRF token with Ajax requests (#7843). Contributed by Etienne Massip. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@5134 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/views/layouts/base.rhtml | 1 + public/javascripts/application.js | 22 ++++++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/app/views/layouts/base.rhtml b/app/views/layouts/base.rhtml index fda4e2954..7e9e4e1ec 100644 --- a/app/views/layouts/base.rhtml +++ b/app/views/layouts/base.rhtml @@ -5,6 +5,7 @@ <%=h html_title %> +<%= csrf_meta_tag %> <%= favicon %> <%= stylesheet_link_tag 'application', :media => 'all' %> <%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) == 'rtl' %> diff --git a/public/javascripts/application.js b/public/javascripts/application.js index a88856ea6..3996404bb 100644 --- a/public/javascripts/application.js +++ b/public/javascripts/application.js @@ -299,9 +299,27 @@ var WarnLeavingUnsaved = Class.create({ } }); -/* shows and hides ajax indicator */ +/* + * 1 - registers a callback which copies the csrf token into the + * X-CSRF-Token header with each ajax request. Necessary to + * work with rails applications which have fixed + * CVE-2011-0447 + * 2 - shows and hides ajax indicator + */ Ajax.Responders.register({ - onCreate: function(){ + onCreate: function(request){ + var csrf_meta_tag = $$('meta[name=csrf-token]')[0]; + + if (csrf_meta_tag) { + var header = 'X-CSRF-Token', + token = csrf_meta_tag.readAttribute('content'); + + if (!request.options.requestHeaders) { + request.options.requestHeaders = {}; + } + request.options.requestHeaders[header] = token; + } + if ($('ajax-indicator') && Ajax.activeRequestCount > 0) { Element.show('ajax-indicator'); } -- 2.39.5