$OpenBSD: patch-lib_action_controller_metal_request_forgery_protection_rb,v 1.1 2011/02/10 01:42:22 jeremy Exp $

Fix for CVE-2011-0447.

--- lib/action_controller/metal/request_forgery_protection.rb.orig	Wed Dec 31 16:00:00 1969
+++ lib/action_controller/metal/request_forgery_protection.rb	Wed Feb  9 08:48:24 2011
@@ -85,25 +85,24 @@ module ActionController #:nodoc:
     end
 
     protected
-
-      def protect_from_forgery(options = {})
-        self.request_forgery_protection_token ||= :authenticity_token
-        before_filter :verify_authenticity_token, options
-      end
-
       # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
       def verify_authenticity_token
-        verified_request? || raise(ActionController::InvalidAuthenticityToken)
+        verified_request? || handle_unverified_request
       end
 
+      def handle_unverified_request
+        reset_session
+      end
+
       # Returns true or false if a request is verified.  Checks:
       #
-      # * is the format restricted?  By default, only HTML requests are checked.
       # * is it a GET request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
+      # * Does the X-CSRF-Token header match the form_authenticity_token
       def verified_request?
-        !protect_against_forgery? || request.forgery_whitelisted? ||
-          form_authenticity_token == params[request_forgery_protection_token]
+        !protect_against_forgery? || request.get? ||
+          form_authenticity_token == params[request_forgery_protection_token] ||
+          form_authenticity_token == request.headers['X-CSRF-Token']
       end
 
       # Sets the token value for the current session.
