From c8451aeeea200043d8a3e6eae9c49def3a154ddb Mon Sep 17 00:00:00 2001
From: rick <rick@spacemonkey.local>
Date: Tue, 6 May 2008 02:58:32 -0700
Subject: change ActionController::RequestForgeryProtection to use
 Mime::Type#verify_request? [#73]

---
 actionpack/test/controller/mime_type_test.rb       | 25 +++++++++--
 .../controller/request_forgery_protection_test.rb  | 48 ++++++++++++++++++++--
 2 files changed, 66 insertions(+), 7 deletions(-)

(limited to 'actionpack/test')

diff --git a/actionpack/test/controller/mime_type_test.rb b/actionpack/test/controller/mime_type_test.rb
index 03b0f8bad2..f16a3c68b4 100644
--- a/actionpack/test/controller/mime_type_test.rb
+++ b/actionpack/test/controller/mime_type_test.rb
@@ -52,16 +52,33 @@ class MimeTypeTest < Test::Unit::TestCase
   end
 
   def test_type_convenience_methods
-    types = [:html, :xml, :png, :pdf, :yaml, :url_encoded_form]
+    # Don't test Mime::ALL, since it Mime::ALL#html? == true
+    types = Mime::SET.to_a.map(&:to_sym).uniq - [:all]
+
+    # Remove custom Mime::Type instances set in other tests, like Mime::GIF and Mime::IPHONE
+    types.delete_if { |type| !Mime.const_defined?(type.to_s.upcase) }
+
     types.each do |type|
       mime = Mime.const_get(type.to_s.upcase)
-      assert mime.send("#{type}?"), "Mime::#{type.to_s.upcase} is not #{type}?"
-      (types - [type]).each { |t| assert !mime.send("#{t}?"), "Mime::#{t.to_s.upcase} is #{t}?" }
+      assert mime.send("#{type}?"), "#{mime.inspect} is not #{type}?"
+      (types - [type]).each { |other_type| assert !mime.send("#{other_type}?"), "#{mime.inspect} is #{other_type}?" }
     end
   end
-  
+
   def test_mime_all_is_html
     assert Mime::ALL.all?,  "Mime::ALL is not all?"
     assert Mime::ALL.html?, "Mime::ALL is not html?"
   end
+
+  def test_verifiable_mime_types
+    unverified_types = Mime::Type.unverifiable_types
+    all_types = Mime::SET.to_a.map(&:to_sym)
+    all_types.uniq!
+    # Remove custom Mime::Type instances set in other tests, like Mime::GIF and Mime::IPHONE
+    all_types.delete_if { |type| !Mime.const_defined?(type.to_s.upcase) }
+
+    unverified, verified = all_types.partition { |type| Mime::Type.unverifiable_types.include? type }
+    assert verified.all?   { |type|  Mime.const_get(type.to_s.upcase).verify_request? }, "Not all Mime Types are verified: #{verified.inspect}"
+    assert unverified.all? { |type| !Mime.const_get(type.to_s.upcase).verify_request? }, "Some Mime Types are verified: #{unverified.inspect}"
+  end
 end
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 295075fed4..833e8d8e00 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -107,19 +107,61 @@ module RequestForgeryProtectionTests
   end
 
   def test_should_not_allow_api_formatted_post_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) do 
+    assert_raises(ActionController::InvalidAuthenticityToken) do
       post :index, :format => 'xml'
     end
   end
 
-  def test_should_not_allow_put_without_token
+  def test_should_not_allow_api_formatted_put_without_token
     assert_raises(ActionController::InvalidAuthenticityToken) do
       put :index, :format => 'xml'
     end
   end
 
-  def test_should_not_allow_delete_without_token
+  def test_should_not_allow_api_formatted_delete_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      delete :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_post_sent_as_url_encoded_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+      post :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_put_sent_as_url_encoded_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+      put :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_delete_sent_as_url_encoded_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+      delete :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_post_sent_as_multipart_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
+      post :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_put_sent_as_multipart_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
+      put :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_delete_sent_as_multipart_form_without_token
     assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
       delete :index, :format => 'xml'
     end
   end
-- 
cgit v1.2.3