nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #8381 from SuperTux88/fix-forgery-protection-for-federation

Browse source 
Bump diaspora_federation and enable forgery protection by default again
This commit is contained in:
Benjamin Neff 2022-07-24 01:30:41 +02:00
commit 429a47d64d
No known key found for this signature in database
GPG key ID: 971464C3F1A90194
4 changed files with 12 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Gemfile
View file

@ -15,8 +15,8 @@ gem "unicorn-worker-killer", "0.4.5"
# Federation # Federation
gem "diaspora_federation-json_schema", "1.0.0" gem "diaspora_federation-json_schema", "1.0.1"
gem "diaspora_federation-rails", "1.0.0" gem "diaspora_federation-rails", "1.0.1"
# API and JSON # API and JSON
@ -245,7 +245,7 @@ group :test do
gem "timecop", "0.9.5" gem "timecop", "0.9.5"
gem "webmock", "3.14.0", require: false gem "webmock", "3.14.0", require: false
gem "diaspora_federation-test", "1.0.0" gem "diaspora_federation-test", "1.0.1"
end end
group :development, :test do group :development, :test do

18
Gemfile.lock
View file

@ -209,18 +209,18 @@ GEM
devise_lastseenable (0.0.6) devise_lastseenable (0.0.6)
devise devise
rails (>= 3.0.4) rails (>= 3.0.4)
diaspora_federation (1.0.0) diaspora_federation (1.0.1)
faraday (>= 1.0, < 3) faraday (>= 1.0, < 3)
faraday-follow_redirects (~> 0.3) faraday-follow_redirects (~> 0.3)
nokogiri (~> 1.6, >= 1.6.8) nokogiri (~> 1.6, >= 1.6.8)
typhoeus (~> 1.0) typhoeus (~> 1.0)
valid (~> 1.0) valid (~> 1.0)
diaspora_federation-json_schema (1.0.0) diaspora_federation-json_schema (1.0.1)
diaspora_federation-rails (1.0.0) diaspora_federation-rails (1.0.1)
actionpack (>= 5.2, < 8) actionpack (>= 5.2, < 8)
diaspora_federation (= 1.0.0) diaspora_federation (= 1.0.1)
diaspora_federation-test (1.0.0) diaspora_federation-test (1.0.1)
diaspora_federation (= 1.0.0) diaspora_federation (= 1.0.1)
fabrication (~> 2.29) fabrication (~> 2.29)
uuid (~> 2.3, >= 2.3.8) uuid (~> 2.3, >= 2.3.8)
diff-lcs (1.5.0) diff-lcs (1.5.0)
@ -800,9 +800,9 @@ DEPENDENCIES
devise (= 4.8.1) devise (= 4.8.1)
devise-two-factor (= 4.0.2) devise-two-factor (= 4.0.2)
devise_lastseenable (= 0.0.6) devise_lastseenable (= 0.0.6)
diaspora_federation-json_schema (= 1.0.0) diaspora_federation-json_schema (= 1.0.1)
diaspora_federation-rails (= 1.0.0) diaspora_federation-rails (= 1.0.1)
diaspora_federation-test (= 1.0.0) diaspora_federation-test (= 1.0.1)
eye (= 0.10.0) eye (= 0.10.0)
factory_bot_rails (= 6.2.0) factory_bot_rails (= 6.2.0)
faraday (= 1.10.0) faraday (= 1.10.0)

1
app/controllers/application_controller.rb
View file

@ -7,7 +7,6 @@
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
before_action :force_tablet_html before_action :force_tablet_html
has_mobile_fu has_mobile_fu
protect_from_forgery except: :receive, with: :exception, prepend: true
rescue_from ActionController::InvalidAuthenticityToken do rescue_from ActionController::InvalidAuthenticityToken do
if user_signed_in? if user_signed_in?

5
config/application.rb
View file

@ -39,11 +39,6 @@ module Diaspora
# Enable escaping HTML in JSON. # Enable escaping HTML in JSON.
config.active_support.escape_html_entities_in_json = true config.active_support.escape_html_entities_in_json = true
# We specify CSRF protection manually in ApplicationController with
# protect_from_forgery - having it enabled anywhere by default breaks
# federation.
config.action_controller.default_protect_from_forgery = false
# Enable the asset pipeline # Enable the asset pipeline
config.assets.enabled = true config.assets.enabled = true