Blame rubygem-actionpack-2.1.x-verify-also-text.patch
|
|
98453fa |
commit 099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
|
|
|
98453fa |
Author: Michael Koziarski <michael@koziarski.com>
|
|
|
98453fa |
Date: Sun Nov 16 20:35:25 2008 +0100
|
|
|
98453fa |
|
|
|
98453fa |
Verify form submissions for text/plain posts too.
|
|
|
98453fa |
|
|
|
98453fa |
Some browsers can POST requests with text/plain encoding, allowing attackers to potentially subvert the request forgery prevention.
|
|
|
98453fa |
|
|
|
98453fa |
http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
|
|
|
98453fa |
|
|
|
98453fa |
diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb
|
|
|
98453fa |
index fa123f7..453fc67 100644
|
|
|
98453fa |
--- a/actionpack/lib/action_controller/mime_type.rb
|
|
|
98453fa |
+++ b/actionpack/lib/action_controller/mime_type.rb
|
|
|
98453fa |
@@ -18,7 +18,7 @@ module Mime
|
|
|
98453fa |
# end
|
|
|
98453fa |
class Type
|
|
|
98453fa |
@@html_types = Set.new [:html, :all]
|
|
|
98453fa |
- @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
|
|
|
98453fa |
+ @@unverifiable_types = Set.new [:json, :csv, :xml, :rss, :atom, :yaml]
|
|
|
98453fa |
cattr_reader :html_types, :unverifiable_types
|
|
|
98453fa |
|
|
|
98453fa |
# A simple helper class used in parsing the accept header
|