From 051741f05c17ae6ada2b3dad25cbc715e6f8e3d7 Mon Sep 17 00:00:00 2001 From: Eric Davis Date: Sat, 14 Nov 2009 20:19:03 +0000 Subject: [PATCH] Merged r3051 from trunk with some changes for 0.8 sessions. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/0.8-stable@3053 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/application.rb | 1 + config/environments/test.rb | 3 +++ config/environments/test_pgsql.rb | 4 ++++ config/environments/test_sqlite3.rb | 3 +++ doc/CHANGELOG | 1 + 5 files changed, 12 insertions(+) diff --git a/app/controllers/application.rb b/app/controllers/application.rb index 29772ca13..dfe7a2913 100644 --- a/app/controllers/application.rb +++ b/app/controllers/application.rb @@ -23,6 +23,7 @@ class ApplicationController < ActionController::Base before_filter :user_setup, :check_if_login_required, :set_localization filter_parameter_logging :password + protect_from_forgery :secret => session.first[:secret] include Redmine::MenuManager::MenuController helper Redmine::MenuManager::MenuHelper diff --git a/config/environments/test.rb b/config/environments/test.rb index 7c821da07..40469f38d 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -15,3 +15,6 @@ config.action_controller.perform_caching = false config.action_mailer.perform_deliveries = true config.action_mailer.delivery_method = :test + +# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application +config.action_controller.allow_forgery_protection = false diff --git a/config/environments/test_pgsql.rb b/config/environments/test_pgsql.rb index 7c821da07..cc1c1aee0 100644 --- a/config/environments/test_pgsql.rb +++ b/config/environments/test_pgsql.rb @@ -15,3 +15,7 @@ config.action_controller.perform_caching = false config.action_mailer.perform_deliveries = true config.action_mailer.delivery_method = :test + +# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application +config.action_controller.allow_forgery_protection = false + diff --git a/config/environments/test_sqlite3.rb b/config/environments/test_sqlite3.rb index 7c821da07..40469f38d 100644 --- a/config/environments/test_sqlite3.rb +++ b/config/environments/test_sqlite3.rb @@ -15,3 +15,6 @@ config.action_controller.perform_caching = false config.action_mailer.perform_deliveries = true config.action_mailer.delivery_method = :test + +# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application +config.action_controller.allow_forgery_protection = false diff --git a/doc/CHANGELOG b/doc/CHANGELOG index 58b73601d..d7926d43a 100644 --- a/doc/CHANGELOG +++ b/doc/CHANGELOG @@ -11,6 +11,7 @@ http://www.redmine.org/ * Fixed: First date of the date range not included in the time report with SQLite * Fixed: Password field not styled correctly on alternative stylesheet * Fixed: Error when sumbitting a POST request that requires a login +* Fixed: CSRF vulnerabilities == 2009-11-04 v0.8.6