sinatra / rack-protection

NOTE: This project has been merged upstream to sinatra/sinatra
https://github.com/sinatra/sinatra/tree/master/rack-protection
818 stars 58 forks source link

Authenticity token not being set unless form is sent #60

Closed cesarfigueroa closed 11 years ago

cesarfigueroa commented 11 years ago

The culprit:

return true if safe? env

Because AuthenticityToken returns true if a request is not a POST, PUT or DELETE one, the token never gets set until a form is sent.

jordimassaguerpla commented 11 years ago

Hi! I found your commit with the gems-status software (github.com/jordimassaguerpla/gems-status) and I am wondering if I should update my apps that use your software because of this commit. Is this a security issue? Thanks.

rkh commented 11 years ago

No, this is not a security issue.