File f1ad8b48aae3ee26613b3e77bc0056e120096846.patch of Package rubygem-actionpack-2_1

Overview Repositories Revisions Requests Users Attributes Meta

File f1ad8b48aae3ee26613b3e77bc0056e120096846.patch of Package rubygem-actionpack-2_1

From f1ad8b48aae3ee26613b3e77bc0056e120096846 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Thu, 13 Nov 2008 11:19:53 +0100
Subject: [PATCH] Instead of overriding html_types, base the verification on browser_generated_types.

Also Deprecate the old unverifiable types.

[#1145 state:committed]
---
 actionpack/lib/action_controller/mime_type.rb |   21 +++++++++++++++++----
 actionpack/test/controller/mime_type_test.rb  |    6 +++---
 2 files changed, 20 insertions(+), 7 deletions(-)

Index: lib/action_controller/mime_type.rb
===================================================================
--- lib/action_controller/mime_type.rb.orig	1970-01-01 01:00:00.000000000 +0100
+++ lib/action_controller/mime_type.rb	2010-02-02 02:07:28.341345989 +0100
@@ -18,8 +18,19 @@ module Mime
   #   end
   class Type
     @@html_types = Set.new [:html, :all]
+    cattr_reader :html_types
+
+    # These are the content types which browsers can generate without using ajax, flash, etc
+    # i.e. following a link, getting an image or posting a form.  CSRF protection
+    # only needs to protect against these types.
+    @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form]
+    cattr_reader :browser_generated_types
+
     @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
-    cattr_reader :html_types, :unverifiable_types
+    def self.unverifiable_types
+      ActiveSupport::Deprecation.warn("unverifiable_types is deprecated and has no effect", caller)
+      @@unverifiable_types
+    end
 
     # A simple helper class used in parsing the accept header
     class AcceptItem #:nodoc:
@@ -161,13 +172,17 @@ module Mime
     # Returns true if Action Pack should check requests using this Mime Type for possible request forgery.  See
     # ActionController::RequestForgerProtection.
     def verify_request?
-      !@@unverifiable_types.include?(to_sym)
+      browser_generated?
     end
 
     def html?
       @@html_types.include?(to_sym) || @string =~ /html/
     end
 
+    def browser_generated?
+      @@browser_generated_types.include?(to_sym)
+    end
+
     private
       def method_missing(method, *args)
         if method.to_s =~ /(\w+)\?$/
Index: test/controller/mime_type_test.rb
===================================================================
--- test/controller/mime_type_test.rb.orig	1970-01-01 01:00:00.000000000 +0100
+++ test/controller/mime_type_test.rb	2010-02-02 02:16:12.225759085 +0100
@@ -77,8 +77,8 @@ class MimeTypeTest < Test::Unit::TestCas
     # Remove custom Mime::Type instances set in other tests, like Mime::GIF and Mime::IPHONE
     all_types.delete_if { |type| !Mime.const_defined?(type.to_s.upcase) }
 
-    unverified, verified = all_types.partition { |type| Mime::Type.unverifiable_types.include? type }
-    assert verified.all?   { |type|  Mime.const_get(type.to_s.upcase).verify_request? }, "Not all Mime Types are verified: #{verified.inspect}"
-    assert unverified.all? { |type| !Mime.const_get(type.to_s.upcase).verify_request? }, "Some Mime Types are verified: #{unverified.inspect}"
+    verified, unverified = all_types.partition { |type| Mime::Type.browser_generated_types.include? type }
+    assert verified.each   { |type| assert  Mime.const_get(type.to_s.upcase).verify_request?, "Verifiable Mime Type is not verified: #{type.inspect}" }
+    assert unverified.each { |type| assert !Mime.const_get(type.to_s.upcase).verify_request?, "Nonverifiable Mime Type is verified: #{type.inspect}" }
   end
 end

Places

File f1ad8b48aae3ee26613b3e77bc0056e120096846.patch of Package rubygem-actionpack-2_1

Places