diff options
| author | Jose and Yehuda <wycats@gmail.com> | 2012-04-24 22:32:09 -0500 |
|---|---|---|
| committer | Jose and Yehuda <wycats@gmail.com> | 2012-04-24 22:52:26 -0500 |
| commit | 56cdc81c08b1847c5c1f699810a8c3b9ac3715a6 (patch) | |
| tree | a896641a85a55eab01eb74a129dbcbb09f7f8b6b /railties/lib/rails | |
| parent | 0cc32c5fd7f875de61262b430bca23825691899b (diff) | |
| download | rails-56cdc81c08b1847c5c1f699810a8c3b9ac3715a6.tar.gz rails-56cdc81c08b1847c5c1f699810a8c3b9ac3715a6.tar.bz2 rails-56cdc81c08b1847c5c1f699810a8c3b9ac3715a6.zip | |
Remove default match without specified method
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
Diffstat (limited to 'railties/lib/rails')
| -rw-r--r-- | railties/lib/rails/application/finisher.rb | 2 | ||||
| -rw-r--r-- | railties/lib/rails/engine.rb | 8 |
2 files changed, 5 insertions, 5 deletions
diff --git a/railties/lib/rails/application/finisher.rb b/railties/lib/rails/application/finisher.rb index 7da495211d..002c6026e4 100644 --- a/railties/lib/rails/application/finisher.rb +++ b/railties/lib/rails/application/finisher.rb @@ -22,7 +22,7 @@ module Rails initializer :add_builtin_route do |app| if Rails.env.development? app.routes.append do - match '/rails/info/properties' => "rails/info#properties" + get '/rails/info/properties' => "rails/info#properties" end end end diff --git a/railties/lib/rails/engine.rb b/railties/lib/rails/engine.rb index 131d6e5711..43ee396cbe 100644 --- a/railties/lib/rails/engine.rb +++ b/railties/lib/rails/engine.rb @@ -148,7 +148,7 @@ module Rails # # # ENGINE/config/routes.rb # MyEngine::Engine.routes.draw do - # match "/" => "posts#index" + # get "/" => "posts#index" # end # # == Mount priority @@ -158,7 +158,7 @@ module Rails # # MyRailsApp::Application.routes.draw do # mount MyEngine::Engine => "/blog" - # match "/blog/omg" => "main#omg" + # get "/blog/omg" => "main#omg" # end # # +MyEngine+ is mounted at <tt>/blog</tt>, and <tt>/blog/omg</tt> points to application's @@ -167,7 +167,7 @@ module Rails # It's much better to swap that: # # MyRailsApp::Application.routes.draw do - # match "/blog/omg" => "main#omg" + # get "/blog/omg" => "main#omg" # mount MyEngine::Engine => "/blog" # end # @@ -256,7 +256,7 @@ module Rails # # config/routes.rb # MyApplication::Application.routes.draw do # mount MyEngine::Engine => "/my_engine", :as => "my_engine" - # match "/foo" => "foo#index" + # get "/foo" => "foo#index" # end # # Now, you can use the <tt>my_engine</tt> helper inside your application: |