Set default protect from forgery true (#36317).

Patch by Takashi Kato.

git-svn-id: http://svn.redmine.org/redmine/trunk@21379 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/application_controller.rb

@@ -38,8 +38,6 @@ class ApplicationController < ActionController::Base
 
   layout 'base'
 
-  protect_from_forgery
-
   def verify_authenticity_token
     unless api_request?
       super
@@ -48,11 +46,16 @@ class ApplicationController < ActionController::Base
 
   def handle_unverified_request
     unless api_request?
-      super
-      cookies.delete(autologin_cookie_name)
-      self.logged_user = nil
-      set_localization
-      render_error :status => 422, :message => l(:error_invalid_authenticity_token)
+      begin
+        super
+      rescue ActionController::InvalidAuthenticityToken => e
+        logger.error("ActionController::InvalidAuthenticityToken: #{e.message}") if logger
+      ensure
+        cookies.delete(autologin_cookie_name)
+        self.logged_user = nil
+        set_localization
+        render_error :status => 422, :message => l(:error_invalid_authenticity_token)
+      end
     end
   end
 

config/application.rb

@@ -58,6 +58,9 @@ module RedmineApp
     # Do not include all helpers
     config.action_controller.include_all_helpers = false
 
+    # Add forgery protection
+    config.action_controller.default_protect_from_forgery = true
+
     # Sets the Content-Length header on responses with fixed-length bodies
     config.middleware.insert_before Rack::Sendfile, Rack::ContentLength