summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--app/views/layouts/base.rhtml1
-rw-r--r--public/javascripts/application.js22
2 files changed, 21 insertions, 2 deletions
diff --git a/app/views/layouts/base.rhtml b/app/views/layouts/base.rhtml
index fda4e2954..7e9e4e1ec 100644
--- a/app/views/layouts/base.rhtml
+++ b/app/views/layouts/base.rhtml
@@ -5,6 +5,7 @@
<title><%=h html_title %></title>
<meta name="description" content="<%= Redmine::Info.app_name %>" />
<meta name="keywords" content="issue,bug,tracker" />
+<%= csrf_meta_tag %>
<%= favicon %>
<%= stylesheet_link_tag 'application', :media => 'all' %>
<%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) == 'rtl' %>
diff --git a/public/javascripts/application.js b/public/javascripts/application.js
index a88856ea6..3996404bb 100644
--- a/public/javascripts/application.js
+++ b/public/javascripts/application.js
@@ -299,9 +299,27 @@ var WarnLeavingUnsaved = Class.create({
}
});
-/* shows and hides ajax indicator */
+/*
+ * 1 - registers a callback which copies the csrf token into the
+ * X-CSRF-Token header with each ajax request. Necessary to
+ * work with rails applications which have fixed
+ * CVE-2011-0447
+ * 2 - shows and hides ajax indicator
+ */
Ajax.Responders.register({
- onCreate: function(){
+ onCreate: function(request){
+ var csrf_meta_tag = $$('meta[name=csrf-token]')[0];
+
+ if (csrf_meta_tag) {
+ var header = 'X-CSRF-Token',
+ token = csrf_meta_tag.readAttribute('content');
+
+ if (!request.options.requestHeaders) {
+ request.options.requestHeaders = {};
+ }
+ request.options.requestHeaders[header] = token;
+ }
+
if ($('ajax-indicator') && Ajax.activeRequestCount > 0) {
Element.show('ajax-indicator');
}