Commit 099a98e9b7108dae3e0f78b207e0a7dc5913bd1a to rails's rails

099a98e
all branches
- 1-2-stable
- 2-0-stable
- 2-1-stable
- 2-2-stable
- 2-3-stable
- 3-0-unstable
- HEAD
- master
all tags
- v0.9.1
- v0.9.2
- v0.9.3
- v0.9.4
- v0.9.4.1
- v0.9.5
- v0.10.0
- v0.10.1
- v0.11.0
- v0.11.1
- v0.12.0
- v0.13.0
- v0.13.1
- v0.14.1
- v0.14.2
- v0.14.3
- v0.14.4
- v1.0.0
- v1.1.0
- v1.1.0_RC1
- v1.1.1
- v1.1.2
- v1.1.3
- v1.1.4
- v1.1.5
- v1.1.6
- v1.2.0
- v1.2.0_RC1
- v1.2.0_RC2
- v1.2.1
- v1.2.2
- v1.2.3
- v1.2.4
- v1.2.5
- v1.2.6
- v2.0.0
- v2.0.0_PR
- v2.0.0_RC1
- v2.0.0_RC2
- v2.0.1
- v2.0.2
- v2.0.3
- v2.0.4
- v2.0.5
- v2.1.0
- v2.1.0_RC1
- v2.1.1
- v2.1.2
- v2.2.0
- v2.2.1
- v2.2.2
- v2.3.0
- v2.3.1
- v2.3.2
- v2.3.2.1
comments

rails / rails

677

3837

Description:	Ruby on Rails edit
Homepage:	http://rubyonrails.org edit
Public Clone URL:	git://github.com/rails/rails.git Give this clone URL to anyone. `git clone git://github.com/rails/rails.git`
Your Clone URL:	git@github.com:rails/rails.git Use this clone URL yourself. `git clone git@github.com:rails/rails.git`

Verify form submissions for text/plain posts too.

Some browsers can POST requests with text/plain encoding, allowing attackers to  
potentially subvert the request forgery prevention.

http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/

NZKoz (author)

Sun Nov 16 11:35:25 -0800 2008

commit 099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
tree 1a12dbfe5aff023b4a355098d6c1a5995071e323
parent 7ce3a597249d99b1b3247d5f0ea5490416bd8f38

actionpack/lib/action_controller/mime_type.rb

actionpack/lib/action_controller/mime_type.rb

0
@@ -18,7 +18,7 @@ module Mime
0
   #   end
0
   class Type
0
     @@html_types = Set.new [:html, :all]
0
-    @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
0
+    @@unverifiable_types = Set.new [:json, :csv, :xml, :rss, :atom, :yaml]
0
     cattr_reader :html_types, :unverifiable_types
0
 
0
     # A simple helper class used in parsing the accept header

Comments