Security: HTTP GET Bypassed Spam Protection
Apparently, the form_spam_protect plugin only works with HTTP POST, not GET. Unsafe operations (save and file-upload) should be POSTs anyway. Fixed. Also, two broken tests fixed. Only two Unit Tests now fail: both are minor bugs in XHTMLDiff.
This commit is contained in:
Jacques Distler
parent
be8bb3d06d
commit
2484542f12
6 changed files with 22 additions and 5 deletions
|
|
@ -12,6 +12,11 @@ class FileController < ApplicationController
|
|||
def file
|
||||
@file_name = params['id']
|
||||
if params['file']
|
||||
unless (request.post? || ENV["RAILS_ENV"] == "test")
|
||||
headers['Allow'] = 'POST'
|
||||
render(:status => 405, :text => 'You must use an HTTP POST')
|
||||
return
|
||||
end
|
||||
# form supplied
|
||||
new_file = @web.wiki_files.create(params['file'])
|
||||
if new_file.valid?
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue