github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-04-26 03:00:59 -04:00
Code Issues Packages Projects Releases Wiki Activity

change ActionController::RequestForgeryProtection to use Mime::Type#verify_request? [#73]

Browse Source
This commit is contained in:
rick
2008-05-06 02:58:32 -07:00
parent 92e2e5990c
commit c8451aeeea
5 changed files with 84 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
actionpack/lib/action_controller/mime_type.rb
View File

@@ -17,6 +17,10 @@ module Mime
# end
# end
class Type
@@html_types = Set.new [:html, :all]
@@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
cattr_reader :html_types, :unverifiable_types
# A simple helper class used in parsing the accept header
class AcceptItem #:nodoc:
attr_accessor :order, :name, :q
@@ -153,12 +157,21 @@ module Mime
synonym.to_s == mime_type.to_s || synonym.to_sym == mime_type.to_sym
end
end
# Returns true if ActionPack should check requests using this Mime Type for possible request forgery. See
# ActionController::RequestForgerProtection.
def verify_request?
!@@unverifiable_types.include?(to_sym)
end
def html?
@@html_types.include?(to_sym) || @string =~ /html/
end
private
def method_missing(method, *args)
if method.to_s =~ /(\w+)\?$/
mime_type = $1.downcase.to_sym
mime_type == @symbol || (mime_type == :html && @symbol == :all)
$1.downcase.to_sym == to_sym
else
super
end

2
actionpack/lib/action_controller/mime_types.rb
View File

@@ -17,4 +17,4 @@ Mime::Type.register "multipart/form-data", :multipart_form
Mime::Type.register "application/x-www-form-urlencoded", :url_encoded_form
# http://www.ietf.org/rfc/rfc4627.txt
Mime::Type.register "application/json", :json, %w( text/x-json )
Mime::Type.register "application/json", :json, %w( text/x-json )

2
actionpack/lib/action_controller/request_forgery_protection.rb
View File

@@ -99,7 +99,7 @@ module ActionController #:nodoc:
end
def verifiable_request_format?
request.content_type.nil? || request.content_type.html?
request.content_type.nil? || request.content_type.verify_request?
end
# Sets the token value for the current session. Pass a <tt>:secret</tt> option