diff options
| author | Jeff Cohen <cohen.jeff@gmail.com> | 2008-10-31 23:10:44 -0500 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2008-11-13 11:23:21 +0100 |
| commit | fbbcd6f29aeccc938b97b5c01717365f8b67912c (patch) | |
| tree | 1328775dc257448c0289cd9b9045d5fc7874d29c /actionpack/lib/action_controller | |
| parent | 02df503d3b4db7a3e7fabe1403c388a059f905b8 (diff) | |
| download | rails-fbbcd6f29aeccc938b97b5c01717365f8b67912c.tar.gz rails-fbbcd6f29aeccc938b97b5c01717365f8b67912c.tar.bz2 rails-fbbcd6f29aeccc938b97b5c01717365f8b67912c.zip | |
Changed request forgery protection to only worry about HTML-formatted content requests.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
Diffstat (limited to 'actionpack/lib/action_controller')
| -rw-r--r-- | actionpack/lib/action_controller/mime_type.rb | 4 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/request_forgery_protection.rb | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/test_process.rb | 1 |
3 files changed, 4 insertions, 3 deletions
diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb index 26edca3b69..f43ae721c6 100644 --- a/actionpack/lib/action_controller/mime_type.rb +++ b/actionpack/lib/action_controller/mime_type.rb @@ -19,7 +19,7 @@ module Mime # end # end class Type - @@html_types = Set.new [:html, :all] + @@html_types = Set.new [:html, :url_encoded_form, :multipart_form, :all] @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml] cattr_reader :html_types, :unverifiable_types @@ -167,7 +167,7 @@ module Mime # Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See # ActionController::RequestForgerProtection. def verify_request? - !@@unverifiable_types.include?(to_sym) + html? end def html? diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 05a6d8bb79..3e0e94a06b 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -99,7 +99,7 @@ module ActionController #:nodoc: end def verifiable_request_format? - request.content_type.nil? || request.content_type.verify_request? + !request.content_type.nil? && request.content_type.verify_request? end # Sets the token value for the current session. Pass a <tt>:secret</tt> option diff --git a/actionpack/lib/action_controller/test_process.rb b/actionpack/lib/action_controller/test_process.rb index 7a31f0e8d5..1e3a646bc9 100644 --- a/actionpack/lib/action_controller/test_process.rb +++ b/actionpack/lib/action_controller/test_process.rb @@ -395,6 +395,7 @@ module ActionController #:nodoc: @html_document = nil @request.env['REQUEST_METHOD'] ||= "GET" + @request.action = action.to_s parameters ||= {} |