diff options
-rw-r--r-- | app/views/layouts/base.rhtml | 1 | ||||
-rw-r--r-- | public/javascripts/application.js | 22 |
2 files changed, 21 insertions, 2 deletions
diff --git a/app/views/layouts/base.rhtml b/app/views/layouts/base.rhtml index fda4e2954..7e9e4e1ec 100644 --- a/app/views/layouts/base.rhtml +++ b/app/views/layouts/base.rhtml @@ -5,6 +5,7 @@ <title><%=h html_title %></title> <meta name="description" content="<%= Redmine::Info.app_name %>" /> <meta name="keywords" content="issue,bug,tracker" /> +<%= csrf_meta_tag %> <%= favicon %> <%= stylesheet_link_tag 'application', :media => 'all' %> <%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) == 'rtl' %> diff --git a/public/javascripts/application.js b/public/javascripts/application.js index a88856ea6..3996404bb 100644 --- a/public/javascripts/application.js +++ b/public/javascripts/application.js @@ -299,9 +299,27 @@ var WarnLeavingUnsaved = Class.create({ } }); -/* shows and hides ajax indicator */ +/* + * 1 - registers a callback which copies the csrf token into the + * X-CSRF-Token header with each ajax request. Necessary to + * work with rails applications which have fixed + * CVE-2011-0447 + * 2 - shows and hides ajax indicator + */ Ajax.Responders.register({ - onCreate: function(){ + onCreate: function(request){ + var csrf_meta_tag = $$('meta[name=csrf-token]')[0]; + + if (csrf_meta_tag) { + var header = 'X-CSRF-Token', + token = csrf_meta_tag.readAttribute('content'); + + if (!request.options.requestHeaders) { + request.options.requestHeaders = {}; + } + request.options.requestHeaders[header] = token; + } + if ($('ajax-indicator') && Ajax.activeRequestCount > 0) { Element.show('ajax-indicator'); } |