public
Description: Ruby on Rails
Homepage: http://rubyonrails.org
Clone URL: git://github.com/rails/rails.git
Verify form submissions for text/plain posts too.

Some browsers can POST requests with text/plain encoding, allowing attackers to  
potentially subvert the request forgery prevention.

http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
NZKoz (author)
Sun Nov 16 11:35:25 -0800 2008
commit  099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
tree    1a12dbfe5aff023b4a355098d6c1a5995071e323
parent  7ce3a597249d99b1b3247d5f0ea5490416bd8f38
...
18
19
20
21
 
22
23
24
...
18
19
20
 
21
22
23
24
0
@@ -18,7 +18,7 @@ module Mime
0
   #   end
0
   class Type
0
     @@html_types = Set.new [:html, :all]
0
-    @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
0
+    @@unverifiable_types = Set.new [:json, :csv, :xml, :rss, :atom, :yaml]
0
     cattr_reader :html_types, :unverifiable_types
0
 
0
     # A simple helper class used in parsing the accept header

Comments