Hi all, I think CSFR protection broke in rails 2.3.11. As in: it's turned off now.
I tried this in rails 2.3.10 and in 2.3.11 and 2.3.11 seems broken. >rails csrftest >cd csrftest >script/generate scaffold post title:string >rake db:migrate now I visit /posts/new in my browser, use firebug to delete or change the authenticity token, and submit the form. rails 2.3.11: all fine, new post saved rails 2.3.10: ActionController::InvalidAuthenticityToken I checked ApplicationController to see if it still contained "protect_from_forgery", which is the case. I read the announcement for the csrf changes in 2.3.11 and they talk about overriding handle_unverified_request for special cases where there are other ways for authenticating a user. In this simple case I demonstrated though, there is no concept of a user or logging in (or a session), so the default action of resetting the session is not very useful. In my opinion, CSRF protection is about verifying a request. It doesn't have anything to do with users/sessions/authentication. By default, a faulty request (unprotected/wrong token) should not reach the normal controller action code at all, so the main action to take when a non-verified request comes in, is to have the before_filter chain halt. nothing more, nothing less. Extra stuff (like destroying a session) is up to the user (or nice to leave in as a default). So I think the behavior in 2.3.11 is just wrong, because in the example I gave, the forms just get submitted and stuff gets persisted to the database. It's not clear from the announcement at all that you should now make sure the filter chain halts, or that you must protect your actions by something that's stored in the session (because that's all that gets done when a faulty request hits). Maybe I'm just doing something wrong here, please let me know. Mathijs -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
