Rack::PostBodyToParams is affected by every Rails security issue induced by YAML deserialization for HTTP POST bodys as it just uses ActionSupport for that. You should either upgrade ActiveSupport or require ‘safe_yaml’. As of version 0.1.6 Rack::PostBodyToParams will prevent you from initializing if Hash.from_xml is unsafe.
Parses the POST or PUT body to a Hash and put it into the FORM_HASH. Most frameworks get the params hash from there.
You want to build a XMl or JSON API not with Rails? Perhaps Sinatra or Padrino? Are you missing the Rails feature that the body of XML and JSON POST or PUT requests are automatically parsed into the params hash? Here you go!
There is something similar already in the rack-contrib gem called Rack::PostBodyContentTypeParser. Besides being even less creative with the naming Rack::PostBodyToParams sports these features:
-
Parses XML as well.
-
Uses ActiveSupport. This may also considered to be a bug but it’s in almost every web-framework anyway. The following features sort of depend on it.
-
Uses ActiveSupports settings for XML & JSON parsing, mainly the parser that’s used. Including Nokogiri and YAJL for more speed and less memory consumption.
-
Parsers are configurable.
-
Parse errors are returned with as status 400 and the error message of the parser.
just
gem install rack-post-body-to-params
(sorry for the name ;-)
and then in your config.ru or app.rb:
require 'rack/post-body-to-params' use Rack::PostBodyToParams
or
use Rack::PostBodyContentTypeParser, :content_types => ['application/xml'], :parsers => { 'application/xml' => Proc.new{|a| my_own_xml_parser a }, 'application/foo' => Proc.new{|a| my_foo_parser a } }
As you can see you can restrict Rack::PostBodyToParams to only respond to ‘application/xml’ or ‘application/json’.
Make shure ActiveSupport is required and configured. Should look somewhat like this:
ActiveSupport::JSON.backend = 'Yajl' ActiveSupport::XmlMini.backend = 'Nokogiri'
Note that all current versions of ActiveSupport (up to 3.0.0.beta4) have a bug when requiring the yajl gem. See here for details: Rails Ticket 4897.
Either you have to patch your ActiveSupport gem or use another parser:
ActiveSupport::JSON.backend = 'YAML'
-
Fork the project.
-
Make your feature addition or bug fix.
-
Add tests for it. This is important so I don’t break it in a future version unintentionally.
-
Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
-
Send me a pull request. Bonus points for topic branches.
Copyright © 2010 Niko Dittmann. See LICENSE for details.