It seems Rails just patched a CSRF vulnerability yesterday.
http://weblog.rubyonrails.com/2008/11/18/potential-circumvention-of-csrf-pro tection-in-rails-2-1 Victor On 11/18/08 11:41 PM, "Sean Cribbs" <[EMAIL PROTECTED]> wrote: > For some reason, the CSRF protections in Rails require that if you use > :active_record_store for sessions, the key given in your config setting > must be equivalent to the key given in the call to protect_from_forgery > in the controller. One way around this might be to add an > after_initialize block like so: > > config.after_initialize do > ActionController::Base.request_forgery_protection_options.update > :secret => 'putyourreallylongsha1hashkeyhere' > end > > Sean > > Steven Line wrote: >> Geez, I don't know what just happened here, but I stuck this line of >> code in some obscure file I didn't even know existed and it fixed my >> problem. >> >> I stuck this line of code: >> >> protect_from_forgery :secret => >> 'asdfqwexxcoivswhallelujah!yippee!fqewwel', :except => :index >> >> into my >> >> radiant-0.6.9/app/controllers/admin/page_controller.rb >> >> and the error went away. >> >> > > _______________________________________________ > Radiant mailing list > Post: Radiant@radiantcms.org > Search: http://radiantcms.org/mailing-list/search/ > Site: http://lists.radiantcms.org/mailman/listinfo/radiant Victor Zuniga Westerville Public Library 126 S. State St. | Westerville, OH 43081 Phone: 614.882.7277 | ext 165 _______________________________________________ Radiant mailing list Post: Radiant@radiantcms.org Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
