actionpack 2.3.10 → 2.3.11

data/CHANGELOG

@@ -1,3 +1,7 @@
+*2.3.11 (February 9, 2011)*
+
+* Two security fixes. CVE-2011-0446, CVE-2011-0447
+
 *2.3.10 (October 15, 2010)*
 
 *2.3.9 (September 4, 2010)*

data/Rakefile

@@ -79,7 +79,7 @@ spec = Gem::Specification.new do |s|
   s.has_rdoc = true
   s.requirements << 'none'
 
-  s.add_dependency('activesupport', '= 2.3.10' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.11' + PKG_BUILD)
   s.add_dependency('rack', '~> 1.1.0')
 
   s.require_path = 'lib'

data/lib/action_controller/cookies.rb

@@ -60,7 +60,7 @@ module ActionController #:nodoc:
     attr_reader :controller
     
     def initialize(controller)
-      @controller, @cookies = controller, controller.request.cookies
+      @controller, @cookies, @secure = controller, controller.request.cookies, controller.request.ssl?
       super()
       update(@cookies)
     end
@@ -81,7 +81,7 @@ module ActionController #:nodoc:
 
       options[:path] = "/" unless options.has_key?(:path)
       super(key.to_s, options[:value])
-      @controller.response.set_cookie(key, options)
+      @controller.response.set_cookie(key, options) if write_cookie?(options)
     end
 
     # Removes the cookie on the client machine by setting the value to an empty string
@@ -126,6 +126,12 @@ module ActionController #:nodoc:
     def signed
       @signed ||= SignedCookieJar.new(self)
     end
+
+    private
+
+      def write_cookie?(cookie)
+        @secure || !cookie[:secure] || defined?(Rails.env) && Rails.env.development?
+      end
   end
   
   class PermanentCookieJar < CookieJar #:nodoc:

data/lib/action_controller/request_forgery_protection.rb

@@ -76,7 +76,11 @@ module ActionController #:nodoc:
     protected
       # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
       def verify_authenticity_token
-        verified_request? || raise(ActionController::InvalidAuthenticityToken)
+        verified_request? || handle_unverified_request
+      end
+
+      def handle_unverified_request
+        reset_session
       end
       
       # Returns true or false if a request is verified.  Checks:
@@ -85,11 +89,10 @@ module ActionController #:nodoc:
       # * is it a GET request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
       def verified_request?
-        !protect_against_forgery?     ||
-          request.method == :get      ||
-          request.xhr?                ||
-          !verifiable_request_format? ||
-          form_authenticity_token == form_authenticity_param
+        !protect_against_forgery?                            ||
+          request.get?                                       ||
+          form_authenticity_token == form_authenticity_param ||
+          form_authenticity_token == request.headers['X-CSRF-Token']
       end
 
       def form_authenticity_param

data/lib/action_controller/session/abstract_store.rb

@@ -195,22 +195,8 @@ module ActionController
           request_cookies = env["rack.request.cookie_hash"]
 
           if (request_cookies.nil? || request_cookies[@key] != sid) || options[:expire_after]
-            cookie = Rack::Utils.escape(@key) + '=' + Rack::Utils.escape(sid)
-            cookie << "; domain=#{options[:domain]}" if options[:domain]
-            cookie << "; path=#{options[:path]}" if options[:path]
-            if options[:expire_after]
-              expiry = Time.now + options[:expire_after]
-              cookie << "; expires=#{expiry.httpdate}"
-            end
-            cookie << "; secure" if options[:secure]
-            cookie << "; HttpOnly" if options[:httponly]
-
-            headers = response[1]
-            unless headers[SET_COOKIE].blank?
-              headers[SET_COOKIE] << "\n#{cookie}"
-            else
-              headers[SET_COOKIE] = cookie
-            end
+            cookie = {:value => sid}
+            Rack::Utils.set_cookie_header!(response[1], @key, cookie.merge(options))
           end
         end
 

data/lib/action_controller/session/cookie_store.rb

@@ -52,7 +52,6 @@ module ActionController
 
       ENV_SESSION_KEY = "rack.session".freeze
       ENV_SESSION_OPTIONS_KEY = "rack.session.options".freeze
-      HTTP_SET_COOKIE = "Set-Cookie".freeze
 
       # Raised when storing more than 4K of session data.
       class CookieOverflow < StandardError; end
@@ -116,9 +115,7 @@ module ActionController
             cookie[:expires] = Time.now + options[:expire_after]
           end
 
-          cookie = build_cookie(@key, cookie.merge(options))
-          headers[HTTP_SET_COOKIE] = [] if headers[HTTP_SET_COOKIE].blank?
-          headers[HTTP_SET_COOKIE] << cookie
+          Rack::Utils.set_cookie_header!(headers, @key, cookie.merge(options))
         end
 
         [status, headers, body]
@@ -130,26 +127,6 @@ module ActionController
           env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
           env[ENV_SESSION_OPTIONS_KEY] = AbstractStore::OptionsHash.new(self, env, @default_options)
         end
-      
-        # Should be in Rack::Utils soon
-        def build_cookie(key, value)
-          case value
-          when Hash
-            domain  = "; domain="  + value[:domain] if value[:domain]
-            path    = "; path="    + value[:path]   if value[:path]
-            # According to RFC 2109, we need dashes here.
-            # N.B.: cgi.rb uses spaces...
-            expires = "; expires=" + value[:expires].clone.gmtime.
-              strftime("%a, %d-%b-%Y %H:%M:%S GMT") if value[:expires]
-            secure = "; secure" if value[:secure]
-            httponly = "; HttpOnly" if value[:httponly]
-            value = value[:value]
-          end
-          value = [value] unless Array === value
-          cookie = Rack::Utils.escape(key) + "=" +
-            value.map { |v| Rack::Utils.escape(v) }.join("&") +
-            "#{domain}#{path}#{expires}#{secure}#{httponly}"
-        end
 
         def load_session(env)
           data = unpacked_cookie_data(env)

data/lib/action_controller/session/mem_cache_store.rb

@@ -1,6 +1,6 @@
 begin
   require_library_or_gem 'memcache'
-
+  require 'thread'
   module ActionController
     module Session
       class MemCacheStore < AbstractStore

data/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 10
+    TINY  = 11
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/lib/action_view/helpers.rb

@@ -6,6 +6,7 @@ module ActionView #:nodoc:
     autoload :BenchmarkHelper, 'action_view/helpers/benchmark_helper'
     autoload :CacheHelper, 'action_view/helpers/cache_helper'
     autoload :CaptureHelper, 'action_view/helpers/capture_helper'
+    autoload :CsrfHelper, 'action_view/helpers/csrf_helper'
     autoload :DateHelper, 'action_view/helpers/date_helper'
     autoload :DebugHelper, 'action_view/helpers/debug_helper'
     autoload :FormHelper, 'action_view/helpers/form_helper'
@@ -38,6 +39,7 @@ module ActionView #:nodoc:
     include BenchmarkHelper
     include CacheHelper
     include CaptureHelper
+    include CsrfHelper
     include DateHelper
     include DebugHelper
     include FormHelper

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -1,6 +1,7 @@
 require 'cgi'
 require 'action_view/helpers/url_helper'
 require 'action_view/helpers/tag_helper'
+require 'thread'
 
 module ActionView
   module Helpers #:nodoc:

data/lib/action_view/helpers/csrf_helper.rb

@@ -0,0 +1,14 @@
+module ActionView
+  # = Action View CSRF Helper
+  module Helpers
+    module CsrfHelper
+      # Returns a meta tag with the cross-site request forgery protection token
+      # for forms to use. Place this in your head.
+      def csrf_meta_tag
+        if protect_against_forgery?
+          %(<meta name="csrf-param" content="#{h(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{h(form_authenticity_token)}"/>).html_safe
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/form_helper.rb

@@ -665,7 +665,7 @@ module ActionView
       #
       # The HTML specification says unchecked check boxes are not successful, and
       # thus web browsers do not send them. Unfortunately this introduces a gotcha:
-      # if an Invoice model has a +paid+ flag, and in the form that edits a paid
+      # if an +Invoice+ model has a +paid+ flag, and in the form that edits a paid
       # invoice the user unchecks its check box, no +paid+ parameter is sent. So,
       # any mass-assignment idiom like
       #
@@ -673,12 +673,15 @@ module ActionView
       #
       # wouldn't update the flag.
       #
-      # To prevent this the helper generates a hidden field with the same name as
-      # the checkbox after the very check box. So, the client either sends only the
-      # hidden field (representing the check box is unchecked), or both fields.
-      # Since the HTML specification says key/value pairs have to be sent in the
-      # same order they appear in the form and Rails parameters extraction always
-      # gets the first occurrence of any given key, that works in ordinary forms.
+      # To prevent this the helper generates an auxiliary hidden field before
+      # the very check box. The hidden field has the same name and its
+      # attributes mimick an unchecked check box.
+      #
+      # This way, the client either sends only the hidden field (representing
+      # the check box is unchecked), or both fields. Since the HTML specification
+      # says key/value pairs have to be sent in the same order they appear in the
+      # form, and parameters extraction gets the last occurrence of any repeated
+      # key in the query string, that works for ordinary forms.
       #
       # Unfortunately that workaround does not work when the check box goes
       # within an array-like parameter, as in
@@ -689,22 +692,26 @@ module ActionView
       #   <% end %>
       #
       # because parameter name repetition is precisely what Rails seeks to distinguish
-      # the elements of the array.
+      # the elements of the array. For each item with a checked check box you
+      # get an extra ghost item with only that attribute, assigned to "0".
+      #
+      # In that case it is preferable to either use +check_box_tag+ or to use
+      # hashes instead of arrays.
       #
       # ==== Examples
       #   # Let's say that @post.validated? is 1:
       #   check_box("post", "validated")
-      #   # => <input type="checkbox" id="post_validated" name="post[validated]" value="1" />
-      #   #    <input name="post[validated]" type="hidden" value="0" />
+      #   # => <input name="post[validated]" type="hidden" value="0" />
+      #   #    <input type="checkbox" id="post_validated" name="post[validated]" value="1" />
       #
       #   # Let's say that @puppy.gooddog is "no":
       #   check_box("puppy", "gooddog", {}, "yes", "no")
-      #   # => <input type="checkbox" id="puppy_gooddog" name="puppy[gooddog]" value="yes" />
-      #   #    <input name="puppy[gooddog]" type="hidden" value="no" />
+      #   # => <input name="puppy[gooddog]" type="hidden" value="no" />
+      #   #    <input type="checkbox" id="puppy_gooddog" name="puppy[gooddog]" value="yes" />
       #
       #   check_box("eula", "accepted", { :class => 'eula_check' }, "yes", "no")
-      #   # => <input type="checkbox" class="eula_check" id="eula_accepted" name="eula[accepted]" value="yes" />
-      #   #    <input name="eula[accepted]" type="hidden" value="no" />
+      #   # => <input name="eula[accepted]" type="hidden" value="no" />
+      #   #    <input type="checkbox" class="eula_check" id="eula_accepted" name="eula[accepted]" value="yes" />
       #
       def check_box(object_name, method, options = {}, checked_value = "1", unchecked_value = "0")
         InstanceTag.new(object_name, method, self, options.delete(:object)).to_check_box_tag(options, checked_value, unchecked_value)

data/lib/action_view/helpers/url_helper.rb

@@ -471,7 +471,8 @@ module ActionView
         email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
 
         if encode == "javascript"
-          "document.write('#{content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge({ "href" => "mailto:"+email_address+extras }))}');".each_byte do |c|
+          html = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge({ "href" => "mailto:"+html_escape(email_address)+extras }))
+          "document.write('#{escape_javascript(html)}');".each_byte do |c|
             string << sprintf("%%%x", c)
           end
           "<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>"

data/lib/action_view/renderable_partial.rb

@@ -27,7 +27,7 @@ module ActionView
     def render_partial(view, object = nil, local_assigns = {}, as = nil)
       object ||= local_assigns[:object] || local_assigns[variable_name]
 
-      if object.nil? && view.respond_to?(:controller)
+      if object.nil? && !local_assigns_key?(local_assigns) && view.respond_to?(:controller)
         ivar = :"@#{variable_name}"
         object =
           if view.controller.instance_variable_defined?(ivar)
@@ -43,5 +43,11 @@ module ActionView
 
       render_template(view, local_assigns)
     end
+
+    private
+
+      def local_assigns_key?(local_assigns)
+        local_assigns.key?(:object) || local_assigns.key?(variable_name)
+      end
   end
 end

data/test/controller/cookie_test.rb

@@ -100,11 +100,26 @@ class CookieTest < ActionController::TestCase
   end
   
   def test_setting_cookie_with_secure
+    @request.env["HTTPS"] = "on"
     get :authenticate_with_secure
     assert_equal ["user_name=david; path=/; secure"], @response.headers["Set-Cookie"]
     assert_equal({"user_name" => "david"}, @response.cookies)
   end
 
+  def test_setting_cookie_with_secure_in_development
+    with_environment(:development) do
+      get :authenticate_with_secure
+      assert_equal ["user_name=david; path=/; secure"], @response.headers["Set-Cookie"]
+      assert_equal({"user_name" => "david"}, @response.cookies)
+    end
+  end
+
+  def test_not_setting_cookie_with_secure
+    get :authenticate_with_secure
+    assert_not_equal ["user_name=david; path=/; secure"], @response.headers["Set-Cookie"]
+    assert_not_equal({"user_name" => "david"}, @response.cookies)
+  end
+
   def test_multiple_cookies
     get :set_multiple_cookies
     assert_equal 2, @response.cookies.size
@@ -177,4 +192,17 @@ class CookieTest < ActionController::TestCase
     assert_match %r(#{20.years.from_now.year}), @response.headers["Set-Cookie"].first
     assert_equal 100, @controller.send(:cookies).signed[:remember_me]
   end
+
+  private
+    def with_environment(enviroment)
+      old_rails = Object.const_get(:Rails) rescue nil
+      mod = Object.const_set(:Rails, Module.new)
+      (class << mod; self; end).instance_eval do
+        define_method(:env) { @_env ||= ActiveSupport::StringInquirer.new(enviroment.to_s) }
+      end
+      yield
+    ensure
+      Object.module_eval { remove_const(:Rails) } if defined?(Rails)
+      Object.const_set(:Rails, old_rails) if old_rails
+    end
 end

data/test/controller/reloader_test.rb

@@ -1,4 +1,5 @@
 require 'abstract_unit'
+require 'thread'
 
 class ReloaderTests < ActiveSupport::TestCase
   Reloader   = ActionController::Reloader

data/test/controller/render_test.rb

@@ -716,6 +716,11 @@ class TestController < ActionController::Base
     render :partial => "customer"
   end
 
+  def partial_with_implicit_local_assignment_and_nil_local
+    @customer = Customer.new("Marcel")
+    render :partial => "customer", :locals => { :customer => nil }
+  end
+
   def render_call_to_partial_with_layout
     render :action => "calling_partial_with_layout"
   end
@@ -1543,6 +1548,13 @@ class RenderTest < ActionController::TestCase
     end
   end
 
+  def test_partial_with_implicit_local_assignment_and_nil_local
+    assert_not_deprecated do
+      get :partial_with_implicit_local_assignment_and_nil_local
+      assert_equal "Hello: Anonymous", @response.body
+    end
+  end
+
   def test_render_missing_partial_template
     assert_raise(ActionView::MissingTemplate) do
       get :missing_partial

data/test/controller/request_forgery_protection_test.rb

@@ -23,6 +23,10 @@ module RequestForgeryProtectionActions
     render :text => 'pwn'
   end
 
+  def meta
+    render :inline => "<%= csrf_meta_tag %>"
+  end
+
   def rescue_action(e) raise e end
 end
 
@@ -32,6 +36,16 @@ class RequestForgeryProtectionController < ActionController::Base
   protect_from_forgery :only => :index
 end
 
+class RequestForgeryProtectionControllerUsingOldBehaviour < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => %w(index meta)
+
+  def handle_unverified_request
+    raise(ActionController::InvalidAuthenticityToken)
+  end
+end
+
+
 class FreeCookieController < RequestForgeryProtectionController
   self.allow_forgery_protection = false
   
@@ -54,158 +68,92 @@ end
 # common test methods
 
 module RequestForgeryProtectionTests
-  def teardown
-    ActionController::Base.request_forgery_protection_token = nil
-  end
-  
+  def setup
+    @token      = "cf50faa3fe97702ca1ae"
 
-  def test_should_render_form_with_token_tag
-     get :index
-     assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
-   end
-
-   def test_should_render_button_to_with_token_tag
-     get :show_button
-     assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
-   end
-
-   def test_should_render_remote_form_with_only_one_token_parameter
-     get :remote_form
-     assert_equal 1, @response.body.scan(@token).size
-   end
-
-   def test_should_allow_get
-     get :index
-     assert_response :success
-   end
-
-   def test_should_allow_post_without_token_on_unsafe_action
-     post :unsafe
-     assert_response :success
-   end
-
-  def test_should_not_allow_html_post_without_token
-    @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
-    assert_raise(ActionController::InvalidAuthenticityToken) { post :index, :format => :html }
+    ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
+    ActionController::Base.request_forgery_protection_token = :authenticity_token
   end
   
-  def test_should_not_allow_html_put_without_token
-    @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
-    assert_raise(ActionController::InvalidAuthenticityToken) { put :index, :format => :html }
-  end
   
-  def test_should_not_allow_html_delete_without_token
-    @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
-    assert_raise(ActionController::InvalidAuthenticityToken) { delete :index, :format => :html }
-  end
-
-  def test_should_allow_api_formatted_post_without_token
-    assert_nothing_raised do
-      post :index, :format => 'xml'
+  def test_should_render_form_with_token_tag
+    assert_not_blocked do
+      get :index
     end
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
   end
 
-  def test_should_not_allow_api_formatted_put_without_token
-    assert_nothing_raised do
-      put :index, :format => 'xml'
+  def test_should_render_button_to_with_token_tag
+    assert_not_blocked do
+      get :show_button
     end
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
   end
 
-  def test_should_allow_api_formatted_delete_without_token
-    assert_nothing_raised do
-      delete :index, :format => 'xml'
-    end
+  def test_should_allow_get
+    assert_not_blocked { get :index }
   end
 
-  def test_should_not_allow_api_formatted_post_sent_as_url_encoded_form_without_token
-    assert_raise(ActionController::InvalidAuthenticityToken) do
-      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
-      post :index, :format => 'xml'
-    end
+  def test_should_allow_post_without_token_on_unsafe_action
+    assert_not_blocked { post :unsafe }
   end
 
-  def test_should_not_allow_api_formatted_put_sent_as_url_encoded_form_without_token
-    assert_raise(ActionController::InvalidAuthenticityToken) do
-      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
-      put :index, :format => 'xml'
-    end
+  def test_should_not_allow_post_without_token
+    assert_blocked { post :index }
   end
 
-  def test_should_not_allow_api_formatted_delete_sent_as_url_encoded_form_without_token
-    assert_raise(ActionController::InvalidAuthenticityToken) do
-      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
-      delete :index, :format => 'xml'
-    end
+  def test_should_not_allow_post_without_token_irrespective_of_format
+    assert_blocked { post :index, :format=>'xml' }
   end
 
-  def test_should_not_allow_api_formatted_post_sent_as_multipart_form_without_token
-    assert_raise(ActionController::InvalidAuthenticityToken) do
-      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
-      post :index, :format => 'xml'
-    end
+  def test_should_not_allow_put_without_token
+    assert_blocked { put :index }
   end
 
-  def test_should_not_allow_api_formatted_put_sent_as_multipart_form_without_token
-    assert_raise(ActionController::InvalidAuthenticityToken) do
-      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
-      put :index, :format => 'xml'
-    end
+  def test_should_not_allow_delete_without_token
+    assert_blocked { delete :index }
   end
 
-  def test_should_not_allow_api_formatted_delete_sent_as_multipart_form_without_token
-    assert_raise(ActionController::InvalidAuthenticityToken) do
-      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
-      delete :index, :format => 'xml'
-    end
-  end
-  
-  def test_should_allow_xhr_post_without_token
-    assert_nothing_raised { xhr :post, :index }
-  end
-  
-  def test_should_allow_xhr_put_without_token
-    assert_nothing_raised { xhr :put, :index }
-  end
-  
-  def test_should_allow_xhr_delete_without_token
-    assert_nothing_raised { xhr :delete, :index }
+  def test_should_not_allow_xhr_post_without_token
+    assert_blocked { xhr :post, :index }
   end
-  
-  def test_should_allow_xhr_post_with_encoded_form_content_type_without_token
-    @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
-    assert_nothing_raised { xhr :post, :index }
-  end
-  
+
   def test_should_allow_post_with_token
-    post :index, :authenticity_token => @token
-    assert_response :success
+    assert_not_blocked { post :index, :authenticity_token => @token }
   end
   
   def test_should_allow_put_with_token
-    put :index, :authenticity_token => @token
-    assert_response :success
+    assert_not_blocked { put :index, :authenticity_token => @token }
   end
   
   def test_should_allow_delete_with_token
-    delete :index, :authenticity_token => @token
-    assert_response :success
+    assert_not_blocked { delete :index, :authenticity_token => @token }
   end
   
-  def test_should_allow_post_with_xml
-    @request.env['CONTENT_TYPE'] = Mime::XML.to_s
-    post :index, :format => 'xml'
-    assert_response :success
+  def test_should_allow_post_with_token_in_header
+    @request.env['HTTP_X_CSRF_TOKEN'] = @token
+    assert_not_blocked { post :index }
+  end
+
+  def test_should_allow_delete_with_token_in_header
+    @request.env['HTTP_X_CSRF_TOKEN'] = @token
+    assert_not_blocked { delete :index }
   end
   
-  def test_should_allow_put_with_xml
-    @request.env['CONTENT_TYPE'] = Mime::XML.to_s
-    put :index, :format => 'xml'
+  def test_should_allow_put_with_token_in_header
+    @request.env['HTTP_X_CSRF_TOKEN'] = @token
+    assert_not_blocked { put :index }
+  end
+
+  def assert_blocked
+    session[:something_like_user_id] = 1
+    yield
+    assert_nil session[:something_like_user_id], "session values are still present"
     assert_response :success
   end
   
-  def test_should_allow_delete_with_xml
-    @request.env['CONTENT_TYPE'] = Mime::XML.to_s
-    delete :index, :format => 'xml'
+  def assert_not_blocked
+    assert_nothing_raised { yield }
     assert_response :success
   end
 end
@@ -214,15 +162,20 @@ end
 
 class RequestForgeryProtectionControllerTest < ActionController::TestCase
   include RequestForgeryProtectionTests
-  def setup
-    @controller = RequestForgeryProtectionController.new
-    @request    = ActionController::TestRequest.new
-    @request.format = :html
-    @response   = ActionController::TestResponse.new
-    @token      = "cf50faa3fe97702ca1ae"
 
-    ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
-    ActionController::Base.request_forgery_protection_token = :authenticity_token
+  test 'should emit a csrf-token meta tag' do
+    ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?')
+    get :meta
+    assert_equal %(<meta name="csrf-param" content="authenticity_token"/>\n<meta name="csrf-token" content="cf50faa3fe97702ca1ae&lt;=?"/>), @response.body
+  end
+end
+
+class RequestForgeryProtectionControllerUsingOldBehaviourTest < ActionController::TestCase
+  include RequestForgeryProtectionTests
+  def assert_blocked
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      yield
+    end
   end
 end
 
@@ -251,15 +204,30 @@ class FreeCookieControllerTest < ActionController::TestCase
       assert_nothing_raised { send(method, :index)}
     end
   end
+
+  test 'should not emit a csrf-token meta tag' do
+    get :meta
+    assert_blank @response.body
+  end
 end
 
+
+
+
+
 class CustomAuthenticityParamControllerTest < ActionController::TestCase
   def setup
+    ActionController::Base.request_forgery_protection_token = :custom_token_name
+    super
+  end
+
+  def teardown
     ActionController::Base.request_forgery_protection_token = :authenticity_token
+    super
   end
 
   def test_should_allow_custom_token
-    post :index, :authenticity_token => 'foobar'
+    post :index, :custom_token_name => 'foobar'
     assert_response :ok
   end
 end

data/test/controller/session/cookie_store_test.rb

@@ -106,7 +106,7 @@ class CookieStoreTest < ActionController::IntegrationTest
     with_test_route_set do
       get '/set_session_value'
       assert_response :success
-      assert_equal ["_myapp_session=#{response.body}; path=/; HttpOnly"],
+      assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly",
         headers['Set-Cookie']
    end
   end
@@ -159,7 +159,7 @@ class CookieStoreTest < ActionController::IntegrationTest
     with_test_route_set(:secure => true) do
       get '/set_session_value', nil, 'HTTPS' => 'on'
       assert_response :success
-      assert_equal ["_myapp_session=#{response.body}; path=/; secure; HttpOnly"],
+      assert_equal "_myapp_session=#{response.body}; path=/; secure; HttpOnly",
         headers['Set-Cookie']
     end
   end
@@ -195,12 +195,12 @@ class CookieStoreTest < ActionController::IntegrationTest
       get '/set_session_value'
       assert_response :success
       session_payload = response.body
-      assert_equal ["_myapp_session=#{response.body}; path=/; HttpOnly"],
+      assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly",
         headers['Set-Cookie']
 
       get '/call_reset_session'
       assert_response :success
-      assert_not_equal [], headers['Set-Cookie']
+      assert_not_equal "", headers['Set-Cookie']
       assert_not_equal session_payload, cookies[SessionKey]
 
       get '/get_session_value'
@@ -214,7 +214,7 @@ class CookieStoreTest < ActionController::IntegrationTest
       get '/set_session_value'
       assert_response :success
       session_payload = response.body
-      assert_equal ["_myapp_session=#{response.body}; path=/; HttpOnly"],
+      assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly",
         headers['Set-Cookie']
 
       get '/call_session_clear'

data/test/template/url_helper_test.rb

@@ -333,11 +333,11 @@ class UrlHelperTest < ActionView::TestCase
   end
 
   def test_mail_to_with_javascript
-    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript")
+    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%5c%22%3e%4d%79%20%65%6d%61%69%6c%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript")
   end
 
   def test_mail_to_with_javascript_unicode
-    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%75%6e%69%63%6f%64%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%22%3e%c3%ba%6e%69%63%6f%64%65%3c%2f%61%3e%27%29%3b'))</script>", mail_to("unicode@example.com", "únicode", :encode => "javascript")
+    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%75%6e%69%63%6f%64%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%5c%22%3e%c3%ba%6e%69%63%6f%64%65%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("unicode@example.com", "únicode", :encode => "javascript")
   end
 
   def test_mail_with_options
@@ -361,8 +361,8 @@ class UrlHelperTest < ActionView::TestCase
     assert_dom_equal "<a href=\"&#109;&#97;&#105;&#108;&#116;&#111;&#58;%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">&#109;&#101;&#40;&#97;&#116;&#41;&#100;&#111;&#109;&#97;&#105;&#110;&#46;&#99;&#111;&#109;</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)")
     assert_dom_equal "<a href=\"&#109;&#97;&#105;&#108;&#116;&#111;&#58;%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">My email</a>", mail_to("me@domain.com", "My email", :encode => "hex", :replace_at => "(at)")
     assert_dom_equal "<a href=\"&#109;&#97;&#105;&#108;&#116;&#111;&#58;%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">&#109;&#101;&#40;&#97;&#116;&#41;&#100;&#111;&#109;&#97;&#105;&#110;&#40;&#100;&#111;&#116;&#41;&#99;&#111;&#109;</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)", :replace_dot => "(dot)")
-    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
-    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%6d%65%28%61%74%29%64%6f%6d%61%69%6e%28%64%6f%74%29%63%6f%6d%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", nil, :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
+    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%5c%22%3e%4d%79%20%65%6d%61%69%6c%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
+    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%5c%22%3e%6d%65%28%61%74%29%64%6f%6d%61%69%6e%28%64%6f%74%29%63%6f%6d%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", nil, :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
   end
   
   def protect_against_forgery?

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: actionpack
 version: !ruby/object:Gem::Version 
-  hash: 23
+  hash: 21
   prerelease: false
   segments: 
   - 2
   - 3
-  - 10
-  version: 2.3.10
+  - 11
+  version: 2.3.11
 platform: ruby
 authors: 
 - David Heinemeier Hansson
@@ -15,7 +15,7 @@ autorequire: action_controller
 bindir: bin
 cert_chain: []
 
-date: 2010-10-15 00:00:00 +13:00
+date: 2011-02-09 00:00:00 +13:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -26,12 +26,12 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 23
+        hash: 21
         segments: 
         - 2
         - 3
-        - 10
-        version: 2.3.10
+        - 11
+        version: 2.3.11
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
@@ -156,6 +156,7 @@ files:
 - lib/action_view/helpers/benchmark_helper.rb
 - lib/action_view/helpers/cache_helper.rb
 - lib/action_view/helpers/capture_helper.rb
+- lib/action_view/helpers/csrf_helper.rb
 - lib/action_view/helpers/date_helper.rb
 - lib/action_view/helpers/debug_helper.rb
 - lib/action_view/helpers/form_helper.rb