diff options
author | Jose and Yehuda <wycats@gmail.com> | 2012-04-24 22:32:09 -0500 |
---|---|---|
committer | Jose and Yehuda <wycats@gmail.com> | 2012-04-24 22:52:26 -0500 |
commit | 56cdc81c08b1847c5c1f699810a8c3b9ac3715a6 (patch) | |
tree | a896641a85a55eab01eb74a129dbcbb09f7f8b6b /railties/test/isolation | |
parent | 0cc32c5fd7f875de61262b430bca23825691899b (diff) | |
download | rails-56cdc81c08b1847c5c1f699810a8c3b9ac3715a6.tar.gz rails-56cdc81c08b1847c5c1f699810a8c3b9ac3715a6.tar.bz2 rails-56cdc81c08b1847c5c1f699810a8c3b9ac3715a6.zip |
Remove default match without specified method
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
Diffstat (limited to 'railties/test/isolation')
-rw-r--r-- | railties/test/isolation/abstract_unit.rb | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/railties/test/isolation/abstract_unit.rb b/railties/test/isolation/abstract_unit.rb index ac4c2abfc8..b28cc6e04d 100644 --- a/railties/test/isolation/abstract_unit.rb +++ b/railties/test/isolation/abstract_unit.rb @@ -112,7 +112,7 @@ module TestHelpers routes = File.read("#{app_path}/config/routes.rb") if routes =~ /(\n\s*end\s*)\Z/ File.open("#{app_path}/config/routes.rb", 'w') do |f| - f.puts $` + "\nmatch ':controller(/:action(/:id))(.:format)'\n" + $1 + f.puts $` + "\nmatch ':controller(/:action(/:id))(.:format)', :via => :all\n" + $1 end end @@ -143,7 +143,7 @@ module TestHelpers app.initialize! app.routes.draw do - match "/" => "omg#index" + get "/" => "omg#index" end require 'rack/test' @@ -161,7 +161,7 @@ module TestHelpers app_file 'config/routes.rb', <<-RUBY AppTemplate::Application.routes.draw do - match ':controller(/:action)' + get ':controller(/:action)' end RUBY end |