Set default protect from forgery true (#36317).

Patch by Takashi Kato. git-svn-id: http://svn.redmine.org/redmine/trunk@21379 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 19:47:14 +00:00 · 2022-01-22 08:43:42 +00:00 · 2022-01-22 08:43:42 +00:00 · 9cda1638bd
commit 9cda1638bd
parent ff2752f736
2 changed files with 13 additions and 7 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -38,8 +38,6 @@ class ApplicationController < ActionController::Base

  layout 'base'

-  protect_from_forgery
-
  def verify_authenticity_token
    unless api_request?
      super
@ -48,11 +46,16 @@ class ApplicationController < ActionController::Base

  def handle_unverified_request
    unless api_request?
-      super
-      cookies.delete(autologin_cookie_name)
-      self.logged_user = nil
-      set_localization
-      render_error :status => 422, :message => l(:error_invalid_authenticity_token)
+      begin
+        super
+      rescue ActionController::InvalidAuthenticityToken => e
+        logger.error("ActionController::InvalidAuthenticityToken: #{e.message}") if logger
+      ensure
+        cookies.delete(autologin_cookie_name)
+        self.logged_user = nil
+        set_localization
+        render_error :status => 422, :message => l(:error_invalid_authenticity_token)
+      end
    end
  end

--- a/config/application.rb
+++ b/config/application.rb
@ -58,6 +58,9 @@ module RedmineApp
    # Do not include all helpers
    config.action_controller.include_all_helpers = false

+    # Add forgery protection
+    config.action_controller.default_protect_from_forgery = true
+
    # Sets the Content-Length header on responses with fixed-length bodies
    config.middleware.insert_before Rack::Sendfile, Rack::ContentLength