github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 11:01:11 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

we can't trust CSRF for anon the way it is designed.

Browse Source 
The page they have loaded may be cached we need a different way of delivering the CSRF potentially
This commit is contained in:
Sam
2013-05-03 16:43:11 +10:00
parent 4d2c28e8b2
commit 42494b5bb1
5 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/session_controller.rb
View File

@ -1,5 +1,10 @@
class SessionController < ApplicationController class SessionController < ApplicationController
# we need to allow account login with bad CSRF tokens, if people are caching, the CSRF token on the
# page is going to be empty, this means that server will see an invalid CSRF and blow the session
# once that happens you can't log in with social
skip_before_filter :verify_authenticity_token, only: [:create]
def create def create
requires_parameter(:login, :password) requires_parameter(:login, :password)

5
app/controllers/users_controller.rb
View File

@ -8,6 +8,11 @@ class UsersController < ApplicationController
before_filter :ensure_logged_in, only: [:username, :update, :change_email, :user_preferences_redirect] before_filter :ensure_logged_in, only: [:username, :update, :change_email, :user_preferences_redirect]
# we need to allow account creation with bad CSRF tokens, if people are caching, the CSRF token on the
# page is going to be empty, this means that server will see an invalid CSRF and blow the session
# once that happens you can't log in with social
skip_before_filter :verify_authenticity_token, only: [:create]
def show def show
@user = fetch_user_from_params @user = fetch_user_from_params
user_serializer = UserSerializer.new(@user, scope: guardian, root: 'user') user_serializer = UserSerializer.new(@user, scope: guardian, root: 'user')

9
app/helpers/application_helper.rb
View File

@ -10,6 +10,15 @@ module ApplicationHelper
include CanonicalURL::Helpers include CanonicalURL::Helpers
include ConfigurableUrls include ConfigurableUrls
def discourse_csrf_tags
# anon can not have a CSRF token cause these are all pages
# that may be cached, causing a mismatch between session CSRF
# and CSRF on page and horrible impossible to debug login issues
if current_user
csrf_meta_tags
end
end
def with_format(format, &block) def with_format(format, &block)
old_formats = formats old_formats = formats
self.formats = [format] self.formats = [format]

2
app/views/layouts/application.html.erb
View File

@ -15,7 +15,7 @@
<%= render :partial => "common/special_font_face" %> <%= render :partial => "common/special_font_face" %>
<%= render :partial => "common/discourse_stylesheet" %> <%= render :partial => "common/discourse_stylesheet" %>
<%= csrf_meta_tags %> <%= discourse_csrf_tags %>
<%= yield :head %> <%= yield :head %>
</head> </head>

2
app/views/layouts/no_js.html.erb
View File

@ -11,7 +11,7 @@
<%= render :partial => "common/special_font_face" %> <%= render :partial => "common/special_font_face" %>
<%= render :partial => "common/discourse_stylesheet" %> <%= render :partial => "common/discourse_stylesheet" %>
<%=csrf_meta_tags%> <%= discourse_csrf_tags %>
</head> </head>
<body> <body>