0001-set-default_protect_from_forgery-true.patch - Redmine

Patch #36317 » 0001-set-default_protect_from_forgery-true.patch

Takashi Kato, 2021-12-14 23:42

       layout 'base'
       protect_from_forgery
       def verify_authenticity_token
         unless api_request?
           super
-...
       def handle_unverified_request
         unless api_request?
           super
           cookies.delete(autologin_cookie_name)
           self.logged_user = nil
           set_localization
           render_error :status => 422, :message => l(:error_invalid_authenticity_token)
           begin
             super
           rescue ActionController::InvalidAuthenticityToken => e
             logger.error("ActionController::InvalidAuthenticityToken: #{e.message}") if logger
           ensure
             cookies.delete(autologin_cookie_name)
             self.logged_user = nil
             set_localization
             render_error :status => 422, :message => l(:error_invalid_authenticity_token)
           end
         end
       end

         # Do not include all helpers
         config.action_controller.include_all_helpers = false
         # Add forgery protection
         config.action_controller.default_protect_from_forgery = true
         # Sets the Content-Length header on responses with fixed-length bodies
         config.middleware.insert_before Rack::Sendfile, Rack::ContentLength

(1-1/1)