diff options
| author | rick <rick@spacemonkey.local> | 2008-05-06 00:42:24 -0700 |
|---|---|---|
| committer | rick <rick@spacemonkey.local> | 2008-05-06 00:42:24 -0700 |
| commit | 0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2 (patch) | |
| tree | fae506c6f6ef3ec7b3fb05601bb61128903fd114 /actionpack/test/controller | |
| parent | 04f52219f11944e50555dc59917c73c99581dac0 (diff) | |
| download | rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.tar.gz rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.tar.bz2 rails-0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2.zip | |
Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved]
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index d0c3c6e224..295075fed4 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -93,19 +93,37 @@ module RequestForgeryProtectionTests post :unsafe assert_response :success end - + def test_should_not_allow_post_without_token assert_raises(ActionController::InvalidAuthenticityToken) { post :index } end - + def test_should_not_allow_put_without_token assert_raises(ActionController::InvalidAuthenticityToken) { put :index } end - + def test_should_not_allow_delete_without_token assert_raises(ActionController::InvalidAuthenticityToken) { delete :index } end - + + def test_should_not_allow_api_formatted_post_without_token + assert_raises(ActionController::InvalidAuthenticityToken) do + post :index, :format => 'xml' + end + end + + def test_should_not_allow_put_without_token + assert_raises(ActionController::InvalidAuthenticityToken) do + put :index, :format => 'xml' + end + end + + def test_should_not_allow_delete_without_token + assert_raises(ActionController::InvalidAuthenticityToken) do + delete :index, :format => 'xml' + end + end + def test_should_not_allow_xhr_post_without_token assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index } end @@ -134,16 +152,19 @@ module RequestForgeryProtectionTests end def test_should_allow_post_with_xml + @request.env['CONTENT_TYPE'] = Mime::XML.to_s post :index, :format => 'xml' assert_response :success end def test_should_allow_put_with_xml + @request.env['CONTENT_TYPE'] = Mime::XML.to_s put :index, :format => 'xml' assert_response :success end def test_should_allow_delete_with_xml + @request.env['CONTENT_TYPE'] = Mime::XML.to_s delete :index, :format => 'xml' assert_response :success end |