From 58b996f9b03668573fef2696d583ff04191a5fa7 Mon Sep 17 00:00:00 2001
From: Rick Olson <technoweenie@gmail.com>
Date: Tue, 1 Aug 2006 03:02:31 +0000
Subject: Restrict Request Method hacking with ?_method to POST requests. 
 [Rick Olson]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4644 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/CHANGELOG                        |  2 ++
 actionpack/lib/action_controller/request.rb |  4 ++--
 actionpack/test/controller/request_test.rb  | 30 ++++++++++++++++++++++++++++-
 3 files changed, 33 insertions(+), 3 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index c93ff29d7a..c5578ee056 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Restrict Request Method hacking with ?_method to POST requests.  [Rick Olson]
+
 * Fix bug when passing multiple options to SimplyRestful, like :new => { :preview => :get, :draft => :get }.  [Rick Olson, Josh Susser, Lars Pind]
 
 * Dup the options passed to map.resources so that multiple resources get the same options.  [Rick Olson]
diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb
index 0802353405..35a486fee4 100755
--- a/actionpack/lib/action_controller/request.rb
+++ b/actionpack/lib/action_controller/request.rb
@@ -15,8 +15,8 @@ module ActionController
 
     # Returns the HTTP request method as a lowercase symbol (:get, for example)
     def method
-      @request_method ||= (method = parameters[:_method] && method == :post) ?
-        method.to_s.downcase.to_sym :
+      @request_method ||= (!parameters[:_method].blank? && @env['REQUEST_METHOD'] == 'POST') ?
+        parameters[:_method].to_s.downcase.to_sym :
         @env['REQUEST_METHOD'].downcase.to_sym
     end
 
diff --git a/actionpack/test/controller/request_test.rb b/actionpack/test/controller/request_test.rb
index 43cd8836fe..9f79e7d6df 100644
--- a/actionpack/test/controller/request_test.rb
+++ b/actionpack/test/controller/request_test.rb
@@ -262,5 +262,33 @@ class RequestTest < Test::Unit::TestCase
     @request.env['HTTP_X_FORWARDED_PROTO'] = 'https'
     assert @request.ssl?
   end
-  
+
+  def test_symbolized_request_methods
+    [:head, :get, :post, :put, :delete].each do |method|
+      set_request_method_to method
+      assert_equal method, @request.method
+    end
+  end
+
+  def test_allow_method_hacking_on_post
+    set_request_method_to :post
+    [:head, :get, :put, :delete].each do |method|
+      @request.instance_eval { @parameters = { :_method => method } ; @request_method = nil }
+      assert_equal method, @request.method
+    end
+  end
+
+  def test_restrict_method_hacking
+    @request.instance_eval { @parameters = { :_method => 'put' } }
+    [:head, :get, :put, :delete].each do |method|
+      set_request_method_to method
+      assert_equal method, @request.method
+    end
+  end
+
+  protected
+    def set_request_method_to(method)
+      @request.env['REQUEST_METHOD'] = method.to_s.upcase
+      @request.instance_eval { @request_method = nil }
+    end
 end
-- 
cgit v1.2.3