jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

controllers: don't allow GET requests with params in the body.

Browse Source 
Don't allow GET requests to pass the request params in the body instead
of in the URL. While Rails can handle GET params passed in the body, it
goes against spec and it may cause problems if the response is a redirect
and the client doesn't send the body params when following the redirect.

This may be a breaking change for broken API clients who were sending
GET params in the body instead of in the URL. This can happen when people
use HTTP libraries incorrectly.
This commit is contained in:
evazion
2022-09-19 15:59:30 -05:00
parent 7977572865
commit 3184e77de0
2 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
test/functional/application_controller_test.rb
View File

@@ -10,6 +10,20 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
assert_response 406
end
should "return 403 Bad Request for a GET request with a body" do
get root_path, headers: { "Content-Type": "application/x-www-form-urlencoded", "Accept": "application/json" }, env: { RAW_POST_DATA: "tags=touhou" }
assert_response 403
assert_equal("ApplicationController::RequestBodyNotAllowedError", response.parsed_body["error"])
assert_equal("Request body not allowed for GET request", response.parsed_body["message"])
end
should "return 200 OK for a POST request overriden to be a GET request" do
post root_path, headers: { "Content-Type": "application/x-www-form-urlencoded", "Accept": "application/json", "X-Http-Method-Override": "GET" }, env: { RAW_POST_DATA: "tags=touhou" }
assert_response 200
end
context "on a RecordNotFound error" do
should "return 404 Not Found even with a bad file extension" do
get post_path("bad.json")