diff --git a/actionpack/lib/action_controller/response.rb b/actionpack/lib/action_controller/response.rb index 815f749..ff1702e 100644 --- a/actionpack/lib/action_controller/response.rb +++ b/actionpack/lib/action_controller/response.rb @@ -64,12 +64,13 @@ module ActionController # :nodoc: # the character set information will also be included in the content type # information. def content_type=(mime_type) - self.headers["Content-Type"] = + new_content_type = if mime_type =~ /charset/ || (c = charset).nil? mime_type.to_s else "#{mime_type}; charset=#{c}" end + self.headers["Content-Type"] = URI.escape(new_content_type, "\r\n") end # Returns the response's content MIME type, or nil if content type has been set. diff --git a/actionpack/test/controller/content_type_test.rb b/actionpack/test/controller/content_type_test.rb index 32c1757..852fbfa 100644 --- a/actionpack/test/controller/content_type_test.rb +++ b/actionpack/test/controller/content_type_test.rb @@ -46,6 +46,11 @@ class ContentTypeController < ActionController::Base format.rss { render :text => "hello world!", :content_type => Mime::XML } end end + + def render_content_type_from_user_input + response.content_type= params[:hello] + render :text=>"hello" + end def rescue_action(e) raise end end @@ -129,6 +134,11 @@ class ContentTypeTest < ActionController::TestCase assert_equal Mime::HTML, @response.content_type assert_equal "utf-8", @response.charset end + + def test_user_supplied_value + get :render_content_type_from_user_input, :hello=>"hello/world\r\nAttack: true" + assert_equal "hello/world%0D%0AAttack: true", @response.content_type + end end class AcceptBasedContentTypeTest < ActionController::TestCase