github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-30 00:38:00 -05:00
Code Issues Packages Projects Releases Wiki Activity

Restrict Request Method hacking with ?_method to POST requests. [Rick Olson]

Browse Source 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4644 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
This commit is contained in:
Rick Olson
2006-08-01 03:02:31 +00:00
parent c9417dcef3
commit 58b996f9b0
3 changed files with 33 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
actionpack/CHANGELOG
View File

@@ -1,5 +1,7 @@
*SVN*
* Restrict Request Method hacking with ?_method to POST requests. [Rick Olson]
* Fix bug when passing multiple options to SimplyRestful, like :new => { :preview => :get, :draft => :get }. [Rick Olson, Josh Susser, Lars Pind]
* Dup the options passed to map.resources so that multiple resources get the same options. [Rick Olson]

4
actionpack/lib/action_controller/request.rb
View File

@@ -15,8 +15,8 @@ module ActionController
# Returns the HTTP request method as a lowercase symbol (:get, for example)
def method
@request_method ||= (method = parameters[:_method] && method == :post) ?
method.to_s.downcase.to_sym :
@request_method ||= (!parameters[:_method].blank? && @env['REQUEST_METHOD'] == 'POST') ?
parameters[:_method].to_s.downcase.to_sym :
@env['REQUEST_METHOD'].downcase.to_sym
end

30
actionpack/test/controller/request_test.rb
View File

@@ -262,5 +262,33 @@ class RequestTest < Test::Unit::TestCase
@request.env['HTTP_X_FORWARDED_PROTO'] = 'https'
assert @request.ssl?
end
def test_symbolized_request_methods
[:head, :get, :post, :put, :delete].each do |method|
set_request_method_to method
assert_equal method, @request.method
end
end
def test_allow_method_hacking_on_post
set_request_method_to :post
[:head, :get, :put, :delete].each do |method|
@request.instance_eval { @parameters = { :_method => method } ; @request_method = nil }
assert_equal method, @request.method
end
end
def test_restrict_method_hacking
@request.instance_eval { @parameters = { :_method => 'put' } }
[:head, :get, :put, :delete].each do |method|
set_request_method_to method
assert_equal method, @request.method
end
end
protected
def set_request_method_to(method)
@request.env['REQUEST_METHOD'] = method.to_s.upcase
@request.instance_eval { @request_method = nil }
end
end