CSRF Protection: Don't attempt to catch unused InvalidAuthenticityToken

Rails doesn't raise InvalidAuthenticityToken since 3.0.4

For more information, see
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/
pull/1277/head
Michael Frister 11 years ago
parent c2fdfd0f1d
commit ed7ffdc616
  1. 10
      app/controllers/application_controller.rb

@ -97,8 +97,6 @@ class ApplicationController < ActionController::Base
:stop_if_feeds_disabled,
:set_cache_buster
rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
include Redmine::Search::Controller
include Redmine::MenuManager::MenuController
helper Redmine::MenuManager::MenuHelper
@ -537,14 +535,6 @@ class ApplicationController < ActionController::Base
request.xhr? ? false : 'base'
end
def invalid_authenticity_token
if api_request?
logger.error 'Form authenticity token is missing or is invalid. ' \
'API calls must include a proper Content-type header (text/xml or text/json).'
end
render_error 'Invalid form authenticity token.'
end
def render_feed(items, options = {})
@items = items || []
@items.sort! { |x, y| y.event_datetime <=> x.event_datetime }

Loading…
Cancel
Save