aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Koziarski <michael@koziarski.com>2008-11-13 11:19:53 +0100
committerMichael Koziarski <michael@koziarski.com>2008-11-13 11:23:34 +0100
commitf1ad8b48aae3ee26613b3e77bc0056e120096846 (patch)
tree6df93a9c456ee4bcb91ca33d57957ae7d838d4f1
parent00c46b5eeb858629ef1c7ab50f022aecccca42c3 (diff)
downloadrails-f1ad8b48aae3ee26613b3e77bc0056e120096846.tar.gz
rails-f1ad8b48aae3ee26613b3e77bc0056e120096846.tar.bz2
rails-f1ad8b48aae3ee26613b3e77bc0056e120096846.zip
Instead of overriding html_types, base the verification on browser_generated_types.
Also Deprecate the old unverifiable types. [#1145 state:committed]
-rw-r--r--actionpack/lib/action_controller/mime_type.rb21
-rw-r--r--actionpack/test/controller/mime_type_test.rb6
2 files changed, 20 insertions, 7 deletions
diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb
index 48c4c1ee1e..8ca3a70341 100644
--- a/actionpack/lib/action_controller/mime_type.rb
+++ b/actionpack/lib/action_controller/mime_type.rb
@@ -19,12 +19,21 @@ module Mime
# end
# end
class Type
- @@html_types = Set.new [:html, :url_encoded_form, :multipart_form, :all]
+ @@html_types = Set.new [:html, :all]
cattr_reader :html_types
- # UNUSED, deprecate?
+ # These are the content types which browsers can generate without using ajax, flash, etc
+ # i.e. following a link, getting an image or posting a form. CSRF protection
+ # only needs to protect against these types.
+ @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form]
+ cattr_reader :browser_generated_types
+
+
@@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
- cattr_reader :unverifiable_types
+ def self.unverifiable_types
+ ActiveSupport::Deprecation.warn("unverifiable_types is deprecated and has no effect", caller)
+ @@unverifiable_types
+ end
# A simple helper class used in parsing the accept header
class AcceptItem #:nodoc:
@@ -170,13 +179,17 @@ module Mime
# Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See
# ActionController::RequestForgerProtection.
def verify_request?
- html?
+ browser_generated?
end
def html?
@@html_types.include?(to_sym) || @string =~ /html/
end
+ def browser_generated?
+ @@browser_generated_types.include?(to_sym)
+ end
+
private
def method_missing(method, *args)
if method.to_s =~ /(\w+)\?$/
diff --git a/actionpack/test/controller/mime_type_test.rb b/actionpack/test/controller/mime_type_test.rb
index 4cfaf38ac7..21ae0419f1 100644
--- a/actionpack/test/controller/mime_type_test.rb
+++ b/actionpack/test/controller/mime_type_test.rb
@@ -77,8 +77,8 @@ class MimeTypeTest < Test::Unit::TestCase
all_types.uniq!
# Remove custom Mime::Type instances set in other tests, like Mime::GIF and Mime::IPHONE
all_types.delete_if { |type| !Mime.const_defined?(type.to_s.upcase) }
- verified, unverified = all_types.partition { |type| Mime::Type.html_types.include? type }
- assert verified.each { |type| assert Mime.const_get(type.to_s.upcase).verify_request?, "Mime Type is not verified: #{type.inspect}" }
- assert unverified.each { |type| assert !Mime.const_get(type.to_s.upcase).verify_request?, "Mime Type is verified: #{type.inspect}" }
+ verified, unverified = all_types.partition { |type| Mime::Type.browser_generated_types.include? type }
+ assert verified.each { |type| assert Mime.const_get(type.to_s.upcase).verify_request?, "Verifiable Mime Type is not verified: #{type.inspect}" }
+ assert unverified.each { |type| assert !Mime.const_get(type.to_s.upcase).verify_request?, "Nonverifiable Mime Type is verified: #{type.inspect}" }
end
end