From 0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2 Mon Sep 17 00:00:00 2001
From: rick <rick@spacemonkey.local>
Date: Tue, 6 May 2008 00:42:24 -0700
Subject: Change the request forgery protection to go by Content-Type instead
 of request.format so that you can't bypass it by POSTing to
 "#{request.uri}.xml" [#73 state:resolved]

---
 actionpack/lib/action_controller/request_forgery_protection.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib/action_controller/request_forgery_protection.rb')

diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb
index 7e6961d25f..1b349baeaf 100644
--- a/actionpack/lib/action_controller/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/request_forgery_protection.rb
@@ -99,7 +99,7 @@ module ActionController #:nodoc:
       end
     
       def verifiable_request_format?
-        request.format.html? || request.format.js?
+        request.content_type.nil? || request.content_type.html?
       end
     
       # Sets the token value for the current session.  Pass a <tt>:secret</tt> option
-- 
cgit v1.2.3