Instead of overriding html_types, base the verification on browser_generated_types.

Also Deprecate the old unverifiable types. [#1145 state:committed]
2022-11-09 12:12:34 -05:00 · 2008-11-13 11:19:53 +01:00 · 2008-11-13 11:19:53 +01:00 · f1ad8b48aa
commit f1ad8b48aa
parent 00c46b5eeb
2 changed files with 20 additions and 7 deletions
--- a/actionpack/lib/action_controller/mime_type.rb
+++ b/actionpack/lib/action_controller/mime_type.rb
@ -19,12 +19,21 @@ module Mime
  #     end
  #   end
  class Type
-    @@html_types = Set.new [:html, :url_encoded_form, :multipart_form, :all]
+    @@html_types = Set.new [:html, :all]
    cattr_reader :html_types

-    # UNUSED, deprecate?
+    # These are the content types which browsers can generate without using ajax, flash, etc
+    # i.e. following a link, getting an image or posting a form.  CSRF protection
+    # only needs to protect against these types.
+    @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form]
+    cattr_reader :browser_generated_types
+
+
    @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
-    cattr_reader :unverifiable_types
+    def self.unverifiable_types
+      ActiveSupport::Deprecation.warn("unverifiable_types is deprecated and has no effect", caller)
+      @@unverifiable_types
+    end

    # A simple helper class used in parsing the accept header
    class AcceptItem #:nodoc:
@ -170,13 +179,17 @@ module Mime
    # Returns true if Action Pack should check requests using this Mime Type for possible request forgery.  See
    # ActionController::RequestForgerProtection.
    def verify_request?
-      html?
+      browser_generated?
    end

    def html?
      @@html_types.include?(to_sym) || @string =~ /html/
    end

+    def browser_generated?
+      @@browser_generated_types.include?(to_sym)
+    end
+
    private
      def method_missing(method, *args)
        if method.to_s =~ /(\w+)\?$/
--- a/actionpack/test/controller/mime_type_test.rb
+++ b/actionpack/test/controller/mime_type_test.rb
@ -77,8 +77,8 @@ class MimeTypeTest < Test::Unit::TestCase
    all_types.uniq!
    # Remove custom Mime::Type instances set in other tests, like Mime::GIF and Mime::IPHONE
    all_types.delete_if { |type| !Mime.const_defined?(type.to_s.upcase) }
-    verified, unverified = all_types.partition { |type| Mime::Type.html_types.include? type }
-    assert verified.each   { |type| assert  Mime.const_get(type.to_s.upcase).verify_request?, "Mime Type is not verified: #{type.inspect}" }
-    assert unverified.each { |type| assert !Mime.const_get(type.to_s.upcase).verify_request?, "Mime Type is verified: #{type.inspect}" }
+    verified, unverified = all_types.partition { |type| Mime::Type.browser_generated_types.include? type }
+    assert verified.each   { |type| assert  Mime.const_get(type.to_s.upcase).verify_request?, "Verifiable Mime Type is not verified: #{type.inspect}" }
+    assert unverified.each { |type| assert !Mime.const_get(type.to_s.upcase).verify_request?, "Nonverifiable Mime Type is verified: #{type.inspect}" }
  end
 end