From 051741f05c17ae6ada2b3dad25cbc715e6f8e3d7 2009-11-14 20:19:03
From: Eric Davis <edavis@littlestreamsoftware.com>
Date: 2009-11-14 20:19:03
Subject: [PATCH] Merged r3051 from trunk with some changes for 0.8 sessions.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/0.8-stable@3053 e93f8b46-1217-0410-a6f0-8f06a7374b81

---

diff --git a/app/controllers/application.rb b/app/controllers/application.rb
index 29772ca..dfe7a29 100644
--- a/app/controllers/application.rb
+++ b/app/controllers/application.rb
@@ -23,6 +23,7 @@ class ApplicationController < ActionController::Base
   
   before_filter :user_setup, :check_if_login_required, :set_localization
   filter_parameter_logging :password
+  protect_from_forgery :secret => session.first[:secret]
   
   include Redmine::MenuManager::MenuController
   helper Redmine::MenuManager::MenuHelper
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 7c821da..40469f3 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -15,3 +15,6 @@ config.action_controller.perform_caching             = false
 
 config.action_mailer.perform_deliveries = true
 config.action_mailer.delivery_method = :test
+
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false
diff --git a/config/environments/test_pgsql.rb b/config/environments/test_pgsql.rb
index 7c821da..cc1c1ae 100644
--- a/config/environments/test_pgsql.rb
+++ b/config/environments/test_pgsql.rb
@@ -15,3 +15,7 @@ config.action_controller.perform_caching             = false
 
 config.action_mailer.perform_deliveries = true
 config.action_mailer.delivery_method = :test
+
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false
+
diff --git a/config/environments/test_sqlite3.rb b/config/environments/test_sqlite3.rb
index 7c821da..40469f3 100644
--- a/config/environments/test_sqlite3.rb
+++ b/config/environments/test_sqlite3.rb
@@ -15,3 +15,6 @@ config.action_controller.perform_caching             = false
 
 config.action_mailer.perform_deliveries = true
 config.action_mailer.delivery_method = :test
+
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false
diff --git a/doc/CHANGELOG b/doc/CHANGELOG
index 58b7360..d7926d4 100644
--- a/doc/CHANGELOG
+++ b/doc/CHANGELOG
@@ -11,6 +11,7 @@ http://www.redmine.org/
 * Fixed: First date of the date range not included in the time report with SQLite
 * Fixed: Password field not styled correctly on alternative stylesheet
 * Fixed: Error when sumbitting a POST request that requires a login
+* Fixed: CSRF vulnerabilities
 
 == 2009-11-04 v0.8.6