diff options
| -rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
| -rwxr-xr-x | actionpack/lib/action_controller/request.rb | 4 | ||||
| -rw-r--r-- | actionpack/test/controller/request_test.rb | 30 |
3 files changed, 33 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index c93ff29d7a..c5578ee056 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Restrict Request Method hacking with ?_method to POST requests. [Rick Olson] + * Fix bug when passing multiple options to SimplyRestful, like :new => { :preview => :get, :draft => :get }. [Rick Olson, Josh Susser, Lars Pind] * Dup the options passed to map.resources so that multiple resources get the same options. [Rick Olson] diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb index 0802353405..35a486fee4 100755 --- a/actionpack/lib/action_controller/request.rb +++ b/actionpack/lib/action_controller/request.rb @@ -15,8 +15,8 @@ module ActionController # Returns the HTTP request method as a lowercase symbol (:get, for example) def method - @request_method ||= (method = parameters[:_method] && method == :post) ? - method.to_s.downcase.to_sym : + @request_method ||= (!parameters[:_method].blank? && @env['REQUEST_METHOD'] == 'POST') ? + parameters[:_method].to_s.downcase.to_sym : @env['REQUEST_METHOD'].downcase.to_sym end diff --git a/actionpack/test/controller/request_test.rb b/actionpack/test/controller/request_test.rb index 43cd8836fe..9f79e7d6df 100644 --- a/actionpack/test/controller/request_test.rb +++ b/actionpack/test/controller/request_test.rb @@ -262,5 +262,33 @@ class RequestTest < Test::Unit::TestCase @request.env['HTTP_X_FORWARDED_PROTO'] = 'https' assert @request.ssl? end - + + def test_symbolized_request_methods + [:head, :get, :post, :put, :delete].each do |method| + set_request_method_to method + assert_equal method, @request.method + end + end + + def test_allow_method_hacking_on_post + set_request_method_to :post + [:head, :get, :put, :delete].each do |method| + @request.instance_eval { @parameters = { :_method => method } ; @request_method = nil } + assert_equal method, @request.method + end + end + + def test_restrict_method_hacking + @request.instance_eval { @parameters = { :_method => 'put' } } + [:head, :get, :put, :delete].each do |method| + set_request_method_to method + assert_equal method, @request.method + end + end + + protected + def set_request_method_to(method) + @request.env['REQUEST_METHOD'] = method.to_s.upcase + @request.instance_eval { @request_method = nil } + end end |