From 0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2 Mon Sep 17 00:00:00 2001
From: rick <rick@spacemonkey.local>
Date: Tue, 6 May 2008 00:42:24 -0700
Subject: Change the request forgery protection to go by Content-Type instead
 of request.format so that you can't bypass it by POSTing to
 "#{request.uri}.xml" [#73 state:resolved]

---
 .../controller/request_forgery_protection_test.rb  | 29 +++++++++++++++++++---
 1 file changed, 25 insertions(+), 4 deletions(-)

(limited to 'actionpack/test/controller')

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index d0c3c6e224..295075fed4 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -93,19 +93,37 @@ module RequestForgeryProtectionTests
     post :unsafe
     assert_response :success
   end
-  
+
   def test_should_not_allow_post_without_token
     assert_raises(ActionController::InvalidAuthenticityToken) { post :index }
   end
-  
+
   def test_should_not_allow_put_without_token
     assert_raises(ActionController::InvalidAuthenticityToken) { put :index }
   end
-  
+
   def test_should_not_allow_delete_without_token
     assert_raises(ActionController::InvalidAuthenticityToken) { delete :index }
   end
-  
+
+  def test_should_not_allow_api_formatted_post_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do 
+      post :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_put_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      put :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_delete_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      delete :index, :format => 'xml'
+    end
+  end
+
   def test_should_not_allow_xhr_post_without_token
     assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
   end
@@ -134,16 +152,19 @@ module RequestForgeryProtectionTests
   end
   
   def test_should_allow_post_with_xml
+    @request.env['CONTENT_TYPE'] = Mime::XML.to_s
     post :index, :format => 'xml'
     assert_response :success
   end
   
   def test_should_allow_put_with_xml
+    @request.env['CONTENT_TYPE'] = Mime::XML.to_s
     put :index, :format => 'xml'
     assert_response :success
   end
   
   def test_should_allow_delete_with_xml
+    @request.env['CONTENT_TYPE'] = Mime::XML.to_s
     delete :index, :format => 'xml'
     assert_response :success
   end
-- 
cgit v1.2.3