From 8c197fb4ab4fa432a6e9421e0339a17a7ec296f1 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Sun, 16 Nov 2008 20:19:02 +0100 Subject: [PATCH] Add text/plain to the browser_generated_types array as webkit and gecko can submit them. For more information see: http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/ --- actionpack/lib/action_controller/mime_type.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb index 8ca3a70341..6923a13f3f 100644 --- a/actionpack/lib/action_controller/mime_type.rb +++ b/actionpack/lib/action_controller/mime_type.rb @@ -25,7 +25,7 @@ module Mime # These are the content types which browsers can generate without using ajax, flash, etc # i.e. following a link, getting an image or posting a form. CSRF protection # only needs to protect against these types. - @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form] + @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form, :text] cattr_reader :browser_generated_types @@ -177,7 +177,7 @@ module Mime end # Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See - # ActionController::RequestForgerProtection. + # ActionController::RequestForgeryProtection. def verify_request? browser_generated? end