change ActionController::RequestForgeryProtection to use Mime::Type#verify_request? [#73]

2026-04-26 03:00:59 -04:00 · 2008-05-06 02:58:32 -07:00
parent 92e2e5990c
commit c8451aeeea
5 changed files with 84 additions and 12 deletions
--- a/actionpack/test/controller/mime_type_test.rb
+++ b/actionpack/test/controller/mime_type_test.rb
@@ -52,16 +52,33 @@ class MimeTypeTest < Test::Unit::TestCase
  end

  def test_type_convenience_methods
-    types = [:html, :xml, :png, :pdf, :yaml, :url_encoded_form]
+    # Don't test Mime::ALL, since it Mime::ALL#html? == true
+    types = Mime::SET.to_a.map(&:to_sym).uniq - [:all]
+
+    # Remove custom Mime::Type instances set in other tests, like Mime::GIF and Mime::IPHONE
+    types.delete_if { |type| !Mime.const_defined?(type.to_s.upcase) }
+
    types.each do |type|
      mime = Mime.const_get(type.to_s.upcase)
-      assert mime.send("#{type}?"), "Mime::#{type.to_s.upcase} is not #{type}?"
-      (types - [type]).each { |t| assert !mime.send("#{t}?"), "Mime::#{t.to_s.upcase} is #{t}?" }
+      assert mime.send("#{type}?"), "#{mime.inspect} is not #{type}?"
+      (types - [type]).each { |other_type| assert !mime.send("#{other_type}?"), "#{mime.inspect} is #{other_type}?" }
    end
  end
-  
+
  def test_mime_all_is_html
    assert Mime::ALL.all?,  "Mime::ALL is not all?"
    assert Mime::ALL.html?, "Mime::ALL is not html?"
  end
+
+  def test_verifiable_mime_types
+    unverified_types = Mime::Type.unverifiable_types
+    all_types = Mime::SET.to_a.map(&:to_sym)
+    all_types.uniq!
+    # Remove custom Mime::Type instances set in other tests, like Mime::GIF and Mime::IPHONE
+    all_types.delete_if { |type| !Mime.const_defined?(type.to_s.upcase) }
+
+    unverified, verified = all_types.partition { |type| Mime::Type.unverifiable_types.include? type }
+    assert verified.all?   { |type|  Mime.const_get(type.to_s.upcase).verify_request? }, "Not all Mime Types are verified: #{verified.inspect}"
+    assert unverified.all? { |type| !Mime.const_get(type.to_s.upcase).verify_request? }, "Some Mime Types are verified: #{unverified.inspect}"
+  end
 end
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -107,23 +107,65 @@ module RequestForgeryProtectionTests
  end

  def test_should_not_allow_api_formatted_post_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) do 
+    assert_raises(ActionController::InvalidAuthenticityToken) do
      post :index, :format => 'xml'
    end
  end

-  def test_should_not_allow_put_without_token
+  def test_should_not_allow_api_formatted_put_without_token
    assert_raises(ActionController::InvalidAuthenticityToken) do
      put :index, :format => 'xml'
    end
  end

-  def test_should_not_allow_delete_without_token
+  def test_should_not_allow_api_formatted_delete_without_token
    assert_raises(ActionController::InvalidAuthenticityToken) do
      delete :index, :format => 'xml'
    end
  end

+  def test_should_not_allow_api_formatted_post_sent_as_url_encoded_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+      post :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_put_sent_as_url_encoded_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+      put :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_delete_sent_as_url_encoded_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+      delete :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_post_sent_as_multipart_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
+      post :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_put_sent_as_multipart_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
+      put :index, :format => 'xml'
+    end
+  end
+
+  def test_should_not_allow_api_formatted_delete_sent_as_multipart_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
+      delete :index, :format => 'xml'
+    end
+  end
+
  def test_should_not_allow_xhr_post_without_token
    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
  end