Class: Rackful::MethodOverride

Middleware that provides method spoofing, like Rack::MethodOverride.

If you use this middleware, then clients are allowed to spoof an HTTP method by specifying a _method=... request parameter, for example http://example.com/some_resource?_method=DELETE.

This can be useful if you want to perform PUT and DELETE requests from within a browser, of when you want to perform a GET requests with (too) many parameters, exceeding the maximum URI length in your client or server. In that case, you can put the parameters in a POST body, like this:

POST /some_resource HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 123456789

param_1=hello&param_2=world&param_3=...

Caveats:

• this middleware won’t work well together with Digest Authentication.

• When a POST request is converted to a GET request, the entire request body is loaded into memory, which creates an attack surface for DoS-attacks. Hence, the maximum request body size is limited (see POST_TO_GET_REQUEST_BODY_MAX_SIZE and #initialize). You should choose this limit carefully, and/or include this middleware after your security middlewares.

Improvements over Rack::MethodOverride (v1.5.2):

• Rack::MethodOverride requires the original method to be POST. We allow the following overrides (ORIGINAL_METHOD → OVERRIDE_WITH):

  • GET → DELETE, HEAD and OPTIONS

  • POST → GET, PATCH and PUT

• Rack::MethodOverride doesn’t touch env['QUERY_STRING']. We remove parameter _method if it was handled (but still leave it there if it wasn’t handled for some reason).

• Rackful::MethodOverride is documented ;-)