Verify form submissions for text/plain posts too.

Some browsers can POST requests with text/plain encoding, allowing attackers to potentially subvert the request forgery prevention. http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
rails · Nov 18, 2008 · 099a98e · 099a98e
1 parent 7ce3a59
commit 099a98e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb
@@ -18,7 +18,7 @@ module Mime
   #   end
   class Type
     @@html_types = Set.new [:html, :all]
-    @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
+    @@unverifiable_types = Set.new [:json, :csv, :xml, :rss, :atom, :yaml]
     cattr_reader :html_types, :unverifiable_types
 
     # A simple helper class used in parsing the accept header