这是controller的最后一个module:
Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a forged link from another site, is done by embedding a token based on the session (which an attacker wouldn't know) in all forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller.
Only HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you'll have a different authentication scheme there anyway).
Also,
GET requests are not protected as these should be indempotent anyway.
This is turned on with the
protect_from_forgery method, which will check the token and raise an
ActionController::InvalidAuthenticityToken if it doesn't match what was expected.
You can customize the error message in production by editing public/422.html.
A call to this method in ApplicationController is generated by default in post-Rails 2.0 applications.
The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form manually (without the
use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to include a hidden field named like that and set its value to what is returned by <tt>form_authenticity_token</tt>. Same applies to manually constructed Ajax requests. To make the token available through a global variable to scripts on a certain page, you could add something like this to a view:
<%= javascript_tag "window._token = '#{form_authenticity_token}'" %>
Request forgery protection is disabled by default in test environment. If you are upgrading from Rails 1.x, add this to
# config/environments/test.rb:
# Disable request forgery protection in test environment
config.action_controller.
allow_forgery_protection = false
- # Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
- #
- # Example:
- #
- class FooController < ApplicationController
- # uses the cookie session store (then you don't need a separate :secret)
- protect_from_forgery :except => :index
- # uses one of the other session stores that uses a session_id value.
- protect_from_forgery :secret => 'my-little-pony', :except => :index
- # you can disable csrf protection on controller-by-controller basis:
- skip_before_filter :verify_authenticity_token
- end
- # Valid Options:
- #
- # * <tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call. Set which actions are verified.
- # * <tt>:secret</tt> - Custom salt used to generate the <tt>form_authenticity_token</tt>.
- # Leave this off if you are using the cookie session store.
- # * <tt>:digest</tt> - Message digest used for hashing. Defaults to 'SHA1'.
2 实现
- module RequestForgeryProtection
- def self.included(base)
- base.class_eval do
- # 增加了一个options变量,并且设置为空
- class_inheritable_accessor :request_forgery_protection_options
- self.request_forgery_protection_options = {}
- # 增加了两个helper_method
- helper_method :form_authenticity_token
- helper_method :protect_against_forgery?
- end
- base.extend(ClassMethods)
- end
- module ClassMethods
- def protect_from_forgery(options = {})
- self.request_forgery_protection_token ||= :authenticity_token
- # 增加一个before_filter verify_authenticity_token
- before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except)
- request_forgery_protection_options.update(options)
- end
- end
- protected
- # The actual before_filter that is used. Modify this to change how you handle unverified requests.
- def verify_authenticity_token
- verified_request? || raise(ActionController::InvalidAuthenticityToken)
- end
- # Returns true or false if a request is verified. Checks:
- #
- # * is the format restricted? By default, only HTML and AJAX requests are checked.
- # * is it a GET request? Gets should be safe and idempotent
- # * Does the form_authenticity_token match the given _token value from the params?
- def verified_request?
- !protect_against_forgery? || # 1 如果不需要保护
- request.method == :get || # 2 如果是get方法
- !verifiable_request_format? || # 3 是不是需要验证的格式
- form_authenticity_token == params[request_forgery_protection_token] # 4 是不是正确的token
- end
- def verifiable_request_format?
- request.content_type.nil? || request.content_type.verify_request?
- end
- # Sets the token value for the current session. Pass a <tt>:secret</tt> option
- # in +protect_from_forgery+ to add a custom salt to the hash.
- def form_authenticity_token
- @form_authenticity_token ||= if !session.respond_to?(:session_id) # 没有session_id
- raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session."
- elsif request_forgery_protection_options[:secret]
- authenticity_token_from_session_id # 如果有secret 从session_id中获取token
- elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
- authenticity_token_from_cookie_session # 从cookie session中获取token
- else
- raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store)."
- end
- end
- # Generates a unique digest using the session_id and the CSRF secret.
- def authenticity_token_from_session_id
- key = if request_forgery_protection_options[:secret].respond_to?(:call)
- request_forgery_protection_options[:secret].call(@session)
- else
- request_forgery_protection_options[:secret]
- end
- digest = request_forgery_protection_options[:digest] ||= 'SHA1'
- OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s)
- end
- # No secret was given, so assume this is a cookie session store.
- def authenticity_token_from_cookie_session
- session[:csrf_id] ||= CGI::Session.generate_unique_id
- session.dbman.generate_digest(session[:csrf_id])
- end
- def protect_against_forgery?
- allow_forgery_protection && request_forgery_protection_token
- end
- end
1117
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
