clearance 0.10.4 → 0.10.5

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+0.10.5
+-------------------
+
+* Closing CSRF hole for Rails >= 3.0.4 apps (Mack Earnhardt)
+
 0.10.4
 ------------------
 

data/Gemfile

@@ -2,7 +2,7 @@ source "http://rubygems.org"
 gem "cucumber"
 gem "aruba", "~> 0.2.7"
 gem "rake"
-gem "rails", ">= 3.0.3"
+gem "rails", ">= 3.0.6"
 gem "thin"
 gem "shoulda"
 gem "sqlite3"

data/Gemfile.lock

@@ -2,12 +2,12 @@ GEM
   remote: http://rubygems.org/
   specs:
     abstract (1.0.0)
-    actionmailer (3.0.3)
-      actionpack (= 3.0.3)
+    actionmailer (3.0.6)
+      actionpack (= 3.0.6)
       mail (~> 2.2.9)
-    actionpack (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
+    actionpack (3.0.6)
+      activemodel (= 3.0.6)
+      activesupport (= 3.0.6)
       builder (~> 2.1.2)
       erubis (~> 2.6.6)
       i18n (~> 0.4)
@@ -15,19 +15,19 @@ GEM
       rack-mount (~> 0.6.13)
       rack-test (~> 0.5.6)
       tzinfo (~> 0.3.23)
-    activemodel (3.0.3)
-      activesupport (= 3.0.3)
+    activemodel (3.0.6)
+      activesupport (= 3.0.6)
       builder (~> 2.1.2)
       i18n (~> 0.4)
-    activerecord (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
+    activerecord (3.0.6)
+      activemodel (= 3.0.6)
+      activesupport (= 3.0.6)
       arel (~> 2.0.2)
       tzinfo (~> 0.3.23)
-    activeresource (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
-    activesupport (3.0.3)
+    activeresource (3.0.6)
+      activemodel (= 3.0.6)
+      activesupport (= 3.0.6)
+    activesupport (3.0.6)
     arel (2.0.6)
     aruba (0.2.8)
       childprocess (~> 0.1.6)
@@ -58,7 +58,7 @@ GEM
     culerity (0.2.14)
     daemons (1.1.0)
     diesel (0.1.4)
-      railties (~> 3.0.3)
+      railties (~> 3.0.6)
     diff-lcs (1.1.2)
     dynamic_form (1.1.3)
     erubis (2.6.6)
@@ -93,17 +93,17 @@ GEM
       rack (>= 1.0.0)
     rack-test (0.5.7)
       rack (>= 1.0)
-    rails (3.0.3)
-      actionmailer (= 3.0.3)
-      actionpack (= 3.0.3)
-      activerecord (= 3.0.3)
-      activeresource (= 3.0.3)
-      activesupport (= 3.0.3)
+    rails (3.0.6)
+      actionmailer (= 3.0.6)
+      actionpack (= 3.0.6)
+      activerecord (= 3.0.6)
+      activeresource (= 3.0.6)
+      activesupport (= 3.0.6)
       bundler (~> 1.0)
-      railties (= 3.0.3)
-    railties (3.0.3)
-      actionpack (= 3.0.3)
-      activesupport (= 3.0.3)
+      railties (= 3.0.6)
+    railties (3.0.6)
+      actionpack (= 3.0.6)
+      activesupport (= 3.0.6)
       rake (>= 0.8.7)
       thor (~> 0.14.4)
     rake (0.8.7)
@@ -154,7 +154,7 @@ DEPENDENCIES
   factory_girl_rails
   launchy
   mocha
-  rails (>= 3.0.3)
+  rails (>= 3.0.6)
   rake
   rspec-rails
   shoulda

data/VERSION

@@ -1 +1 @@
-0.10.4
+0.10.5

data/lib/clearance/authentication.rb

@@ -92,6 +92,13 @@ module Clearance
 
       protected
 
+      # CSRF protection in Rails >= 3.0.4
+      # http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
+      def handle_unverified_request
+        super
+        sign_out
+      end
+
       def user_from_cookie
         if token = cookies[:remember_token]
           ::User.find_by_remember_token(token)

data/lib/generators/clearance/install/templates/README

@@ -5,6 +5,7 @@ Next steps:
 
 1. Configure the mailer to create full URLs in emails:
 
+     # config/environments/{development,test}.rb
      config.action_mailer.default_url_options = { :host => 'localhost:3000' }
 
    In production it should be your app's domain name.

data/spec/controllers/forgeries_controller_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+class ForgeriesController < ActionController::Base
+  include Clearance::Authentication
+  protect_from_forgery
+  before_filter :authenticate
+
+  # This is off in test by default, but we need it for this test
+  self.allow_forgery_protection = true
+
+  def create
+    redirect_to :action => 'index'
+  end
+end
+
+describe ForgeriesController do
+  context "signed in user" do
+    before do
+      Rails.application.routes.draw do
+        resources :forgeries
+        match 'sign_in'  => 'clearance/sessions#new', :as => 'sign_in'
+      end
+
+      @user = Factory(:user)
+      @user.update_attribute(:remember_token, "old-token")
+      @request.cookies["remember_token"] = "old-token"
+      @request.session[:_csrf_token] = "golden-ticket"
+    end
+
+    after do
+      Rails.application.reload_routes!
+    end
+
+    it "succeeds with authentic token" do
+      post :create, :authenticity_token => "golden-ticket"
+      subject.should redirect_to(:action => 'index')
+    end
+
+    it "redirects to sign_in with invalid token" do
+      post :create, :authenticity_token => "hax0r"
+      subject.should redirect_to(sign_in_url)
+    end
+
+    it "redirects to sign_in with no token" do
+      post :create
+      subject.should redirect_to(sign_in_url)
+    end
+  end
+end

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 0
   - 10
-  - 4
-  version: 0.10.4
+  - 5
+  version: 0.10.5
 platform: ruby
 authors: 
 - Dan Croak
@@ -31,7 +31,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-04-16 00:00:00 -04:00
+date: 2011-04-19 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -155,6 +155,7 @@ files:
 - lib/generators/clearance/install/templates/db/migrate/upgrade_clearance_to_diesel.rb
 - lib/generators/clearance/install/templates/user.rb
 - lib/generators/clearance/views/views_generator.rb
+- spec/controllers/forgeries_controller_spec.rb
 - spec/controllers/passwords_controller_spec.rb
 - spec/controllers/sessions_controller_spec.rb
 - spec/controllers/users_controller_spec.rb