This project is archived and is in readonly mode.

Changeset [0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2] by rick

May 6th, 2008 @ 08:42 AM

Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved]

Committed by Repository

  • M actionpack/CHANGELOG
  • M actionpack/lib/action_controller/request_forgery_protection.rb
  • M actionpack/test/controller/request_forgery_protection_test.rb

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>