Fixes #6999 - protect user logout against CSRF requests (CVE-2014-3590)
To avoid CSRF, logout is changed to be a POST request so protect_from_forgery checks the CSRF token. However, in Rails 3 the only strategy available is to nullify the session of the attacker. We modify this behavior to raise a Foreman Exception. This issue is probably worth revisiting on the update to Rails 4 as throwing an exception is a valid strategy again.
(cherry picked from commit 4e3a7e7a2a542435686a667773eafc73c92e557b)
Related issues
Bug #6999: CVE-2014-3590 - User logout susceptible to CSRF attack
Added by Daniel Lobato Garcia over 9 years ago
Fixes #6999 - protect user logout against CSRF requests (CVE-2014-3590)
To avoid CSRF, logout is changed to be a POST request so
protect_from_forgery checks the CSRF token. However, in Rails 3 the only
strategy available is to nullify the session of the attacker.
We modify this behavior to raise a Foreman Exception.
This issue is probably worth revisiting on the update to Rails 4 as
throwing an exception is a valid strategy again.
(cherry picked from commit 4e3a7e7a2a542435686a667773eafc73c92e557b)