diff options
| author | gbuesing <gbuesing@gmail.com> | 2008-11-13 09:04:24 -0600 |
|---|---|---|
| committer | gbuesing <gbuesing@gmail.com> | 2008-11-13 09:04:24 -0600 |
| commit | f857da4faf4765ad1579818d2de55f0fabb1b527 (patch) | |
| tree | bd1a7d5562829d680657fcc27a24b01aac9a252f /actionpack/lib | |
| parent | 020a4113048be7166346cba6c59bbbca819de911 (diff) | |
| parent | f1ad8b48aae3ee26613b3e77bc0056e120096846 (diff) | |
| download | rails-f857da4faf4765ad1579818d2de55f0fabb1b527.tar.gz rails-f857da4faf4765ad1579818d2de55f0fabb1b527.tar.bz2 rails-f857da4faf4765ad1579818d2de55f0fabb1b527.zip | |
Merge branch 'master' of git@github.com:rails/rails
Diffstat (limited to 'actionpack/lib')
| -rw-r--r-- | actionpack/lib/action_controller/mime_type.rb | 20 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/request_forgery_protection.rb | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/test_process.rb | 1 |
3 files changed, 20 insertions, 3 deletions
diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb index 26edca3b69..8ca3a70341 100644 --- a/actionpack/lib/action_controller/mime_type.rb +++ b/actionpack/lib/action_controller/mime_type.rb @@ -20,8 +20,20 @@ module Mime # end class Type @@html_types = Set.new [:html, :all] + cattr_reader :html_types + + # These are the content types which browsers can generate without using ajax, flash, etc + # i.e. following a link, getting an image or posting a form. CSRF protection + # only needs to protect against these types. + @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form] + cattr_reader :browser_generated_types + + @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml] - cattr_reader :html_types, :unverifiable_types + def self.unverifiable_types + ActiveSupport::Deprecation.warn("unverifiable_types is deprecated and has no effect", caller) + @@unverifiable_types + end # A simple helper class used in parsing the accept header class AcceptItem #:nodoc: @@ -167,13 +179,17 @@ module Mime # Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See # ActionController::RequestForgerProtection. def verify_request? - !@@unverifiable_types.include?(to_sym) + browser_generated? end def html? @@html_types.include?(to_sym) || @string =~ /html/ end + def browser_generated? + @@browser_generated_types.include?(to_sym) + end + private def method_missing(method, *args) if method.to_s =~ /(\w+)\?$/ diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 05a6d8bb79..3e0e94a06b 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -99,7 +99,7 @@ module ActionController #:nodoc: end def verifiable_request_format? - request.content_type.nil? || request.content_type.verify_request? + !request.content_type.nil? && request.content_type.verify_request? end # Sets the token value for the current session. Pass a <tt>:secret</tt> option diff --git a/actionpack/lib/action_controller/test_process.rb b/actionpack/lib/action_controller/test_process.rb index 7a31f0e8d5..1e3a646bc9 100644 --- a/actionpack/lib/action_controller/test_process.rb +++ b/actionpack/lib/action_controller/test_process.rb @@ -395,6 +395,7 @@ module ActionController #:nodoc: @html_document = nil @request.env['REQUEST_METHOD'] ||= "GET" + @request.action = action.to_s parameters ||= {} |