Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
rubygem-actionpack-2_1
f1ad8b48aae3ee26613b3e77bc0056e120096846.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File f1ad8b48aae3ee26613b3e77bc0056e120096846.patch of Package rubygem-actionpack-2_1
From f1ad8b48aae3ee26613b3e77bc0056e120096846 Mon Sep 17 00:00:00 2001 From: Michael Koziarski <michael@koziarski.com> Date: Thu, 13 Nov 2008 11:19:53 +0100 Subject: [PATCH] Instead of overriding html_types, base the verification on browser_generated_types. Also Deprecate the old unverifiable types. [#1145 state:committed] --- actionpack/lib/action_controller/mime_type.rb | 21 +++++++++++++++++---- actionpack/test/controller/mime_type_test.rb | 6 +++--- 2 files changed, 20 insertions(+), 7 deletions(-) Index: lib/action_controller/mime_type.rb =================================================================== --- lib/action_controller/mime_type.rb.orig 1970-01-01 01:00:00.000000000 +0100 +++ lib/action_controller/mime_type.rb 2010-02-02 02:07:28.341345989 +0100 @@ -18,8 +18,19 @@ module Mime # end class Type @@html_types = Set.new [:html, :all] + cattr_reader :html_types + + # These are the content types which browsers can generate without using ajax, flash, etc + # i.e. following a link, getting an image or posting a form. CSRF protection + # only needs to protect against these types. + @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form] + cattr_reader :browser_generated_types + @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml] - cattr_reader :html_types, :unverifiable_types + def self.unverifiable_types + ActiveSupport::Deprecation.warn("unverifiable_types is deprecated and has no effect", caller) + @@unverifiable_types + end # A simple helper class used in parsing the accept header class AcceptItem #:nodoc: @@ -161,13 +172,17 @@ module Mime # Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See # ActionController::RequestForgerProtection. def verify_request? - !@@unverifiable_types.include?(to_sym) + browser_generated? end def html? @@html_types.include?(to_sym) || @string =~ /html/ end + def browser_generated? + @@browser_generated_types.include?(to_sym) + end + private def method_missing(method, *args) if method.to_s =~ /(\w+)\?$/ Index: test/controller/mime_type_test.rb =================================================================== --- test/controller/mime_type_test.rb.orig 1970-01-01 01:00:00.000000000 +0100 +++ test/controller/mime_type_test.rb 2010-02-02 02:16:12.225759085 +0100 @@ -77,8 +77,8 @@ class MimeTypeTest < Test::Unit::TestCas # Remove custom Mime::Type instances set in other tests, like Mime::GIF and Mime::IPHONE all_types.delete_if { |type| !Mime.const_defined?(type.to_s.upcase) } - unverified, verified = all_types.partition { |type| Mime::Type.unverifiable_types.include? type } - assert verified.all? { |type| Mime.const_get(type.to_s.upcase).verify_request? }, "Not all Mime Types are verified: #{verified.inspect}" - assert unverified.all? { |type| !Mime.const_get(type.to_s.upcase).verify_request? }, "Some Mime Types are verified: #{unverified.inspect}" + verified, unverified = all_types.partition { |type| Mime::Type.browser_generated_types.include? type } + assert verified.each { |type| assert Mime.const_get(type.to_s.upcase).verify_request?, "Verifiable Mime Type is not verified: #{type.inspect}" } + assert unverified.each { |type| assert !Mime.const_get(type.to_s.upcase).verify_request?, "Nonverifiable Mime Type is verified: #{type.inspect}" } end end
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor