Re: [Radiant] Re: page_attachments / :secret / #protect_from_forgery error
It seems Rails just patched a CSRF vulnerability yesterday. http://weblog.rubyonrails.com/2008/11/18/potential-circumvention-of-csrf-pro tection-in-rails-2-1 Victor On 11/18/08 11:41 PM, "Sean Cribbs" <[EMAIL PROTECTED]> wrote: > For some reason, the CSRF protections in Rails require that if you use > :active_record_store for sessions, the key given in your config setting > must be equivalent to the key given in the call to protect_from_forgery > in the controller. One way around this might be to add an > after_initialize block like so: > > config.after_initialize do > ActionController::Base.request_forgery_protection_options.update > :secret => 'putyourreallylongsha1hashkeyhere' > end > > Sean > > Steven Line wrote: >> Geez, I don't know what just happened here, but I stuck this line of >> code in some obscure file I didn't even know existed and it fixed my >> problem. >> >> I stuck this line of code: >> >>protect_from_forgery :secret => >> 'asdfqwexxcoivswhallelujah!yippee!fqewwel', :except => :index >> >> into my >> >>radiant-0.6.9/app/controllers/admin/page_controller.rb >> >> and the error went away. >> >> > > ___ > Radiant mailing list > Post: Radiant@radiantcms.org > Search: http://radiantcms.org/mailing-list/search/ > Site: http://lists.radiantcms.org/mailman/listinfo/radiant Victor Zuniga Westerville Public Library 126 S. State St. | Westerville, OH 43081 Phone: 614.882.7277 | ext 165 ___ Radiant mailing list Post: Radiant@radiantcms.org Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
Re: [Radiant] Re: page_attachments / :secret / #protect_from_forgery error
For some reason, the CSRF protections in Rails require that if you use :active_record_store for sessions, the key given in your config setting must be equivalent to the key given in the call to protect_from_forgery in the controller. One way around this might be to add an after_initialize block like so: config.after_initialize do ActionController::Base.request_forgery_protection_options.update :secret => 'putyourreallylongsha1hashkeyhere' end Sean Steven Line wrote: Geez, I don't know what just happened here, but I stuck this line of code in some obscure file I didn't even know existed and it fixed my problem. I stuck this line of code: protect_from_forgery :secret => 'asdfqwexxcoivswhallelujah!yippee!fqewwel', :except => :index into my radiant-0.6.9/app/controllers/admin/page_controller.rb and the error went away. ___ Radiant mailing list Post: Radiant@radiantcms.org Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
[Radiant] Re: page_attachments / :secret / #protect_from_forgery error
Geez, I don't know what just happened here, but I stuck this line of code in some obscure file I didn't even know existed and it fixed my problem. I stuck this line of code: protect_from_forgery :secret => 'asdfqwexxcoivswhallelujah!yippee!fqewwel', :except => :index into my radiant-0.6.9/app/controllers/admin/page_controller.rb and the error went away. -- Posted via http://www.ruby-forum.com/. ___ Radiant mailing list Post: Radiant@radiantcms.org Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
[Radiant] Re: page_attachments / :secret / #protect_from_forgery error
This link appears that it will help. I would prefer to build sites without learning anything but sometimes I am forced. http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html -- Posted via http://www.ruby-forum.com/. ___ Radiant mailing list Post: Radiant@radiantcms.org Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
