diff options
author | Rémy Coutable <remy@rymai.me> | 2018-01-24 10:47:17 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2018-01-24 10:47:17 +0000 |
commit | e2a56af930f9f7d17a6a9b638f52007a60e4cc60 (patch) | |
tree | 184b2757af950dcff0236d163bcfb5850526992a | |
parent | 47f6dbdf47ced926700dec8e138ed16b59a1c40a (diff) | |
parent | 79a829a0372a974bb3d40e66ca3fdc213200db40 (diff) | |
download | gitlab-ce-e2a56af930f9f7d17a6a9b638f52007a60e4cc60.tar.gz |
Merge branch 'sh-fix-cross-site-forgery-errors' into 'master'
Return a blank JSON response for a missing .js file to prevent Rails CSRF errors
Closes #40771
See merge request gitlab-org/gitlab-ce!16664
-rw-r--r-- | app/controllers/application_controller.rb | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index ee21d81f23e..95ad38d9230 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -147,6 +147,8 @@ class ApplicationController < ActionController::Base format.html do render file: Rails.root.join("public", "404"), layout: false, status: "404" end + # Prevent the Rails CSRF protector from thinking a missing .js file is a JavaScript file + format.js { render json: '', status: :not_found, content_type: 'application/json' } format.any { head :not_found } end end |