From fbbcd6f29aeccc938b97b5c01717365f8b67912c Mon Sep 17 00:00:00 2001 From: Jeff Cohen Date: Fri, 31 Oct 2008 23:10:44 -0500 Subject: Changed request forgery protection to only worry about HTML-formatted content requests. Signed-off-by: Michael Koziarski --- actionpack/lib/action_controller/mime_type.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack/lib/action_controller/mime_type.rb') diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb index 26edca3b69..f43ae721c6 100644 --- a/actionpack/lib/action_controller/mime_type.rb +++ b/actionpack/lib/action_controller/mime_type.rb @@ -19,7 +19,7 @@ module Mime # end # end class Type - @@html_types = Set.new [:html, :all] + @@html_types = Set.new [:html, :url_encoded_form, :multipart_form, :all] @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml] cattr_reader :html_types, :unverifiable_types @@ -167,7 +167,7 @@ module Mime # Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See # ActionController::RequestForgerProtection. def verify_request? - !@@unverifiable_types.include?(to_sym) + html? end def html? -- cgit v1.2.3 From 00c46b5eeb858629ef1c7ab50f022aecccca42c3 Mon Sep 17 00:00:00 2001 From: rick Date: Wed, 12 Nov 2008 13:34:29 -0800 Subject: fix two MimeType failing test cases Signed-off-by: Michael Koziarski --- actionpack/lib/action_controller/mime_type.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'actionpack/lib/action_controller/mime_type.rb') diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb index f43ae721c6..48c4c1ee1e 100644 --- a/actionpack/lib/action_controller/mime_type.rb +++ b/actionpack/lib/action_controller/mime_type.rb @@ -20,8 +20,11 @@ module Mime # end class Type @@html_types = Set.new [:html, :url_encoded_form, :multipart_form, :all] + cattr_reader :html_types + + # UNUSED, deprecate? @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml] - cattr_reader :html_types, :unverifiable_types + cattr_reader :unverifiable_types # A simple helper class used in parsing the accept header class AcceptItem #:nodoc: -- cgit v1.2.3 From f1ad8b48aae3ee26613b3e77bc0056e120096846 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Thu, 13 Nov 2008 11:19:53 +0100 Subject: Instead of overriding html_types, base the verification on browser_generated_types. Also Deprecate the old unverifiable types. [#1145 state:committed] --- actionpack/lib/action_controller/mime_type.rb | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'actionpack/lib/action_controller/mime_type.rb') diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb index 48c4c1ee1e..8ca3a70341 100644 --- a/actionpack/lib/action_controller/mime_type.rb +++ b/actionpack/lib/action_controller/mime_type.rb @@ -19,12 +19,21 @@ module Mime # end # end class Type - @@html_types = Set.new [:html, :url_encoded_form, :multipart_form, :all] + @@html_types = Set.new [:html, :all] cattr_reader :html_types - # UNUSED, deprecate? + # These are the content types which browsers can generate without using ajax, flash, etc + # i.e. following a link, getting an image or posting a form. CSRF protection + # only needs to protect against these types. + @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form] + cattr_reader :browser_generated_types + + @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml] - cattr_reader :unverifiable_types + def self.unverifiable_types + ActiveSupport::Deprecation.warn("unverifiable_types is deprecated and has no effect", caller) + @@unverifiable_types + end # A simple helper class used in parsing the accept header class AcceptItem #:nodoc: @@ -170,13 +179,17 @@ module Mime # Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See # ActionController::RequestForgerProtection. def verify_request? - html? + browser_generated? end def html? @@html_types.include?(to_sym) || @string =~ /html/ end + def browser_generated? + @@browser_generated_types.include?(to_sym) + end + private def method_missing(method, *args) if method.to_s =~ /(\w+)\?$/ -- cgit v1.2.3 From 8c197fb4ab4fa432a6e9421e0339a17a7ec296f1 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Sun, 16 Nov 2008 20:19:02 +0100 Subject: Add text/plain to the browser_generated_types array as webkit and gecko can submit them. For more information see: http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/ --- actionpack/lib/action_controller/mime_type.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack/lib/action_controller/mime_type.rb') diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb index 8ca3a70341..6923a13f3f 100644 --- a/actionpack/lib/action_controller/mime_type.rb +++ b/actionpack/lib/action_controller/mime_type.rb @@ -25,7 +25,7 @@ module Mime # These are the content types which browsers can generate without using ajax, flash, etc # i.e. following a link, getting an image or posting a form. CSRF protection # only needs to protect against these types. - @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form] + @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form, :text] cattr_reader :browser_generated_types @@ -177,7 +177,7 @@ module Mime end # Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See - # ActionController::RequestForgerProtection. + # ActionController::RequestForgeryProtection. def verify_request? browser_generated? end -- cgit v1.2.3