diff options
| author | Michael Koziarski <michael@koziarski.com> | 2008-11-13 11:19:53 +0100 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2008-11-13 11:23:34 +0100 |
| commit | f1ad8b48aae3ee26613b3e77bc0056e120096846 (patch) | |
| tree | 6df93a9c456ee4bcb91ca33d57957ae7d838d4f1 /actionpack | |
| parent | 00c46b5eeb858629ef1c7ab50f022aecccca42c3 (diff) | |
| download | rails-f1ad8b48aae3ee26613b3e77bc0056e120096846.tar.gz rails-f1ad8b48aae3ee26613b3e77bc0056e120096846.tar.bz2 rails-f1ad8b48aae3ee26613b3e77bc0056e120096846.zip | |
Instead of overriding html_types, base the verification on browser_generated_types.
Also Deprecate the old unverifiable types.
[#1145 state:committed]
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_controller/mime_type.rb | 21 | ||||
| -rw-r--r-- | actionpack/test/controller/mime_type_test.rb | 6 |
2 files changed, 20 insertions, 7 deletions
diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb index 48c4c1ee1e..8ca3a70341 100644 --- a/actionpack/lib/action_controller/mime_type.rb +++ b/actionpack/lib/action_controller/mime_type.rb @@ -19,12 +19,21 @@ module Mime # end # end class Type - @@html_types = Set.new [:html, :url_encoded_form, :multipart_form, :all] + @@html_types = Set.new [:html, :all] cattr_reader :html_types - # UNUSED, deprecate? + # These are the content types which browsers can generate without using ajax, flash, etc + # i.e. following a link, getting an image or posting a form. CSRF protection + # only needs to protect against these types. + @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form] + cattr_reader :browser_generated_types + + @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml] - cattr_reader :unverifiable_types + def self.unverifiable_types + ActiveSupport::Deprecation.warn("unverifiable_types is deprecated and has no effect", caller) + @@unverifiable_types + end # A simple helper class used in parsing the accept header class AcceptItem #:nodoc: @@ -170,13 +179,17 @@ module Mime # Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See # ActionController::RequestForgerProtection. def verify_request? - html? + browser_generated? end def html? @@html_types.include?(to_sym) || @string =~ /html/ end + def browser_generated? + @@browser_generated_types.include?(to_sym) + end + private def method_missing(method, *args) if method.to_s =~ /(\w+)\?$/ diff --git a/actionpack/test/controller/mime_type_test.rb b/actionpack/test/controller/mime_type_test.rb index 4cfaf38ac7..21ae0419f1 100644 --- a/actionpack/test/controller/mime_type_test.rb +++ b/actionpack/test/controller/mime_type_test.rb @@ -77,8 +77,8 @@ class MimeTypeTest < Test::Unit::TestCase all_types.uniq! # Remove custom Mime::Type instances set in other tests, like Mime::GIF and Mime::IPHONE all_types.delete_if { |type| !Mime.const_defined?(type.to_s.upcase) } - verified, unverified = all_types.partition { |type| Mime::Type.html_types.include? type } - assert verified.each { |type| assert Mime.const_get(type.to_s.upcase).verify_request?, "Mime Type is not verified: #{type.inspect}" } - assert unverified.each { |type| assert !Mime.const_get(type.to_s.upcase).verify_request?, "Mime Type is verified: #{type.inspect}" } + verified, unverified = all_types.partition { |type| Mime::Type.browser_generated_types.include? type } + assert verified.each { |type| assert Mime.const_get(type.to_s.upcase).verify_request?, "Verifiable Mime Type is not verified: #{type.inspect}" } + assert unverified.each { |type| assert !Mime.const_get(type.to_s.upcase).verify_request?, "Nonverifiable Mime Type is verified: #{type.inspect}" } end end |