diff options
author | rick <rick@spacemonkey.local> | 2008-05-06 00:42:24 -0700 |
---|---|---|
committer | rick <rick@spacemonkey.local> | 2008-05-06 00:42:24 -0700 |
commit | 0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2 (patch) | |
tree | fae506c6f6ef3ec7b3fb05601bb61128903fd114 /actionpack/lib/action_controller | |
parent | 04f52219f11944e50555dc59917c73c99581dac0 (diff) | |
download | rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.tar.gz rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.tar.bz2 rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.zip |
Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved]
Diffstat (limited to 'actionpack/lib/action_controller')
-rw-r--r-- | actionpack/lib/action_controller/request_forgery_protection.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 7e6961d25f..1b349baeaf 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -99,7 +99,7 @@ module ActionController #:nodoc: end def verifiable_request_format? - request.format.html? || request.format.js? + request.content_type.nil? || request.content_type.html? end # Sets the token value for the current session. Pass a <tt>:secret</tt> option |