Security: HTTP GET Bypassed Spam Protection

Apparently, the form_spam_protect plugin only works with HTTP POST, not GET. Unsafe operations (save and file-upload) should be POSTs anyway. Fixed. Also, two broken tests fixed. Only two Unit Tests now fail: both are minor bugs in XHTMLDiff.
2007-10-07 01:59:50 -05:00 · 2007-10-07 01:59:50 -05:00 · 2484542f12
commit 2484542f12
parent be8bb3d06d
6 changed files with 22 additions and 5 deletions
--- a/app/controllers/file_controller.rb
+++ b/app/controllers/file_controller.rb
@ -12,6 +12,11 @@ class FileController < ApplicationController
  def file
    @file_name = params['id']
    if params['file']
+      unless (request.post? || ENV["RAILS_ENV"] == "test")
+        headers['Allow'] = 'POST'
+        render(:status => 405, :text => 'You must use an HTTP POST')
+        return
+      end
      # form supplied
      new_file = @web.wiki_files.create(params['file'])
      if new_file.valid?
--- a/app/controllers/wiki_controller.rb
+++ b/app/controllers/wiki_controller.rb
@ -227,7 +227,11 @@ class WikiController < ApplicationController

  def save
    render(:status => 404, :text => 'Undefined page name') and return if @page_name.nil?
-
+    unless (request.post? || ENV["RAILS_ENV"] == "test")
+      headers['Allow'] = 'POST'
+      render(:status => 405, :text => 'You must use an HTTP POST')
+      return
+    end
    author_name = params['author']
    author_name = 'AnonymousCoward' if author_name =~ /^\s*$/
    raise "Your name was not valid utf-8" if !author_name.is_utf8?