Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved]

author: rick <rick@spacemonkey.local> 2008-05-06 00:42:24 -0700
committer: rick <rick@spacemonkey.local> 2008-05-06 00:42:24 -0700
commit: 0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2 (patch)
tree: fae506c6f6ef3ec7b3fb05601bb61128903fd114 /actionpack/CHANGELOG
parent: 04f52219f11944e50555dc59917c73c99581dac0 (diff)
download: rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.tar.gz
rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.tar.bz2
rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 54030047ba..87f570d55c 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [rick]
+
 * Fixed that TextHelper#text_field would corrypt when raw HTML was used as the value (mchenryc, Kevin Glowacz) [#80]
 
 * Added ActionController::TestCase#rescue_action_in_public! to control whether the action under test should use the regular rescue_action path instead of simply raising the exception inline (great for error testing) [DHH]
author	rick <rick@spacemonkey.local>	2008-05-06 00:42:24 -0700
committer	rick <rick@spacemonkey.local>	2008-05-06 00:42:24 -0700
commit	0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2 (patch)
tree	fae506c6f6ef3ec7b3fb05601bb61128903fd114 /actionpack/CHANGELOG
parent	04f52219f11944e50555dc59917c73c99581dac0 (diff)
download	rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.tar.gz rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.tar.bz2 rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.zip