Merge pull request #563 from opf/fix/json_hijacking

[FIX] JSON hijacking
pull/565/head
meeee 11 years ago
commit 6ca2d36c2c
  1. 2
      Gemfile
  2. 4
      Gemfile.lock
  3. 1
      config.ru
  4. 1
      doc/CHANGELOG.md

@ -72,6 +72,8 @@ gem 'oj'
# will need to be removed once we are on rails4 as it will be part of the rails4 core
gem 'strong_parameters'
gem 'rack-protection'
group :production do
# we use dalli as standard memcache client remove this if you don't
# requires memcached 1.4+

@ -23,6 +23,7 @@ GIT
prototype_legacy_helper (0.0.0)
GEM
remote: https://rubygems.org/
remote: https://rubygems.org/
specs:
actionmailer (3.2.15)
@ -224,6 +225,8 @@ GEM
rack (1.4.5)
rack-cache (1.2)
rack (>= 0.4)
rack-protection (1.5.1)
rack
rack-ssl (1.3.3)
rack
rack-test (0.6.2)
@ -399,6 +402,7 @@ DEPENDENCIES
pry-rescue
pry-stack_explorer
rabl
rack-protection
rack_session_access
rails (~> 3.2.15)
rails-dev-tweaks (~> 0.6.1)

@ -29,4 +29,5 @@
# This file is used by Rack-based servers to start the application.
require ::File.expand_path('../config/environment', __FILE__)
use Rack::Protection::JsonCsrf
run OpenProject::Application

@ -29,6 +29,7 @@ See doc/COPYRIGHT.rdoc for more details.
# Changelog
* `#1749` Prevent JSON Hijacking
* `#2580` Fixed some unlikely remote code executions
## 3.0.0pre23

Loading…
Cancel
Save