Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved]
This commit is contained in:
parent
04f52219f1
commit
0697d17d12
|
@ -1,5 +1,7 @@
|
|||
*SVN*
|
||||
|
||||
* Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [rick]
|
||||
|
||||
* Fixed that TextHelper#text_field would corrypt when raw HTML was used as the value (mchenryc, Kevin Glowacz) [#80]
|
||||
|
||||
* Added ActionController::TestCase#rescue_action_in_public! to control whether the action under test should use the regular rescue_action path instead of simply raising the exception inline (great for error testing) [DHH]
|
||||
|
|
|
@ -99,7 +99,7 @@ module ActionController #:nodoc:
|
|||
end
|
||||
|
||||
def verifiable_request_format?
|
||||
request.format.html? || request.format.js?
|
||||
request.content_type.nil? || request.content_type.html?
|
||||
end
|
||||
|
||||
# Sets the token value for the current session. Pass a <tt>:secret</tt> option
|
||||
|
|
|
@ -93,19 +93,37 @@ module RequestForgeryProtectionTests
|
|||
post :unsafe
|
||||
assert_response :success
|
||||
end
|
||||
|
||||
|
||||
def test_should_not_allow_post_without_token
|
||||
assert_raises(ActionController::InvalidAuthenticityToken) { post :index }
|
||||
end
|
||||
|
||||
|
||||
def test_should_not_allow_put_without_token
|
||||
assert_raises(ActionController::InvalidAuthenticityToken) { put :index }
|
||||
end
|
||||
|
||||
|
||||
def test_should_not_allow_delete_without_token
|
||||
assert_raises(ActionController::InvalidAuthenticityToken) { delete :index }
|
||||
end
|
||||
|
||||
|
||||
def test_should_not_allow_api_formatted_post_without_token
|
||||
assert_raises(ActionController::InvalidAuthenticityToken) do
|
||||
post :index, :format => 'xml'
|
||||
end
|
||||
end
|
||||
|
||||
def test_should_not_allow_put_without_token
|
||||
assert_raises(ActionController::InvalidAuthenticityToken) do
|
||||
put :index, :format => 'xml'
|
||||
end
|
||||
end
|
||||
|
||||
def test_should_not_allow_delete_without_token
|
||||
assert_raises(ActionController::InvalidAuthenticityToken) do
|
||||
delete :index, :format => 'xml'
|
||||
end
|
||||
end
|
||||
|
||||
def test_should_not_allow_xhr_post_without_token
|
||||
assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
|
||||
end
|
||||
|
@ -134,16 +152,19 @@ module RequestForgeryProtectionTests
|
|||
end
|
||||
|
||||
def test_should_allow_post_with_xml
|
||||
@request.env['CONTENT_TYPE'] = Mime::XML.to_s
|
||||
post :index, :format => 'xml'
|
||||
assert_response :success
|
||||
end
|
||||
|
||||
def test_should_allow_put_with_xml
|
||||
@request.env['CONTENT_TYPE'] = Mime::XML.to_s
|
||||
put :index, :format => 'xml'
|
||||
assert_response :success
|
||||
end
|
||||
|
||||
def test_should_allow_delete_with_xml
|
||||
@request.env['CONTENT_TYPE'] = Mime::XML.to_s
|
||||
delete :index, :format => 'xml'
|
||||
assert_response :success
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue