Loading Changelog.md +1 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,7 @@ * Indicate proper way to report bugs in the sidebar [#7039](https://github.com/diaspora/diaspora/pull/7039) * Remove text color from notification mails and fix sender avatar [#7054](https://github.com/diaspora/diaspora/pull/7054) * Make the session cookies HttpOnly again [#7041](https://github.com/diaspora/diaspora/pull/7041) * Invalidate sessions with invalid CSRF tokens [#7050](https://github.com/diaspora/diaspora/pull/7050) ## Bug fixes * Post comments no longer get collapsed when interacting with a post [#7040](https://github.com/diaspora/diaspora/pull/7040) Loading app/controllers/application_controller.rb +5 −1 Original line number Diff line number Diff line Loading @@ -8,7 +8,11 @@ class ApplicationController < ActionController::Base protect_from_forgery except: :receive, with: :exception rescue_from ActionController::InvalidAuthenticityToken do if user_signed_in? logger.warn "#{current_user.diaspora_handle} CSRF token fail. referer: #{request.referer || 'empty'}" Workers::Mail::CsrfTokenFail.perform_async(current_user.id) sign_out current_user end flash[:error] = I18n.t("error_messages.csrf_token_fail") redirect_to new_user_session_path format: request[:format] end Loading app/mailers/notification_mailers/csrf_token_fail.rb 0 → 100644 +7 −0 Original line number Diff line number Diff line module NotificationMailers class CsrfTokenFail < NotificationMailers::Base def set_headers @headers[:subject] = I18n.t("notifier.csrf_token_fail.subject", name: @recipient.name) end end end app/mailers/notifier.rb +4 −0 Original line number Diff line number Diff line Loading @@ -87,6 +87,10 @@ class Notifier < ActionMailer::Base send_notification(:confirm_email, recipient_id) end def csrf_token_fail(recipient_id) send_notification(:csrf_token_fail, recipient_id) end private def send_notification(type, *args) @notification = NotificationMailers.const_get(type.to_s.camelize).new(*args) Loading app/views/notifier/csrf_token_fail.markerb 0 → 100644 +1 −0 Original line number Diff line number Diff line <%= t("notifier.csrf_token_fail.body", name: @notification.recipient_first_name, link: "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)") %> Loading
Changelog.md +1 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,7 @@ * Indicate proper way to report bugs in the sidebar [#7039](https://github.com/diaspora/diaspora/pull/7039) * Remove text color from notification mails and fix sender avatar [#7054](https://github.com/diaspora/diaspora/pull/7054) * Make the session cookies HttpOnly again [#7041](https://github.com/diaspora/diaspora/pull/7041) * Invalidate sessions with invalid CSRF tokens [#7050](https://github.com/diaspora/diaspora/pull/7050) ## Bug fixes * Post comments no longer get collapsed when interacting with a post [#7040](https://github.com/diaspora/diaspora/pull/7040) Loading
app/controllers/application_controller.rb +5 −1 Original line number Diff line number Diff line Loading @@ -8,7 +8,11 @@ class ApplicationController < ActionController::Base protect_from_forgery except: :receive, with: :exception rescue_from ActionController::InvalidAuthenticityToken do if user_signed_in? logger.warn "#{current_user.diaspora_handle} CSRF token fail. referer: #{request.referer || 'empty'}" Workers::Mail::CsrfTokenFail.perform_async(current_user.id) sign_out current_user end flash[:error] = I18n.t("error_messages.csrf_token_fail") redirect_to new_user_session_path format: request[:format] end Loading
app/mailers/notification_mailers/csrf_token_fail.rb 0 → 100644 +7 −0 Original line number Diff line number Diff line module NotificationMailers class CsrfTokenFail < NotificationMailers::Base def set_headers @headers[:subject] = I18n.t("notifier.csrf_token_fail.subject", name: @recipient.name) end end end
app/mailers/notifier.rb +4 −0 Original line number Diff line number Diff line Loading @@ -87,6 +87,10 @@ class Notifier < ActionMailer::Base send_notification(:confirm_email, recipient_id) end def csrf_token_fail(recipient_id) send_notification(:csrf_token_fail, recipient_id) end private def send_notification(type, *args) @notification = NotificationMailers.const_get(type.to_s.camelize).new(*args) Loading
app/views/notifier/csrf_token_fail.markerb 0 → 100644 +1 −0 Original line number Diff line number Diff line <%= t("notifier.csrf_token_fail.body", name: @notification.recipient_first_name, link: "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)") %>
