By design rails does not does not perform token verification on
requests with certain content types not typically generated by
browsers. Unfortunately this list also included 'text/plain' which
can be generated by browsers.
Requests can be crafted which will circumvent the CSRF protection
entirely. Rails does not parse the parameters provided with these
requests, but that may not be enough to protect your application.
* All releases in the 2.1 series
* All 2.2 Pre Releases
* 2.1.3 and 2.2.2 will contain a fix for this issue.
Users of 2.1.x releases are advised to insert the following code into
a file in config/initializers/
Users of Edge Rails after 2.2.1, should upgrade to the latest code in
The patch for the 2.1.x series is available at:
This will also apply cleanly to 2.2 pre-releases prior to the
Author: Michael Koziarski <mic...@koziarski.com>
Date: Thu Nov 13 11:19:53 2008 +0100
Users with edge-rails checkouts after that date, are advised to
upgrade to the latest code in 2-2-stable.