Currently actionpack does not validate REQUEST_METHOD nor params[:_method]. Most applications can only handle a small set of methods so it makes sense to make sure that only those methods are accepted.
Also, the current implementation requires the http method name to be converted to a symbol, this means that if the server does not limit the accepted http methods it is possible to cause the server to leak a lot of memory just by sending it repeated http requests with long random _method parameters (or REQUST_METHOD heaader if the http server does not validate REQUEST_METHOD, (Apache) ).
In case you're implementing a webdav server make sure to add the accepted webdav methods into the ActionController::AbstractRequest.ACCEPTED_HTTP_METHODS set.
