Hi rortalk, I''ve been looking at my under development site''s exposure to csrf attacks. While it is a good thing that rails provides request forgery protection for not-gets, it seems to me that for it to actually be meaningful you need to take the additional step of restricting the methods of your actions. for example, say i have a destroy method in a controller of a restful app. by convention i invoke this using DELETE, and if i do so, request forgery protection applies. however, by default it is also possible to invoke it using GET, unless i explicitly do something like verify :method => :delete, :only => [ :destroy ] this is potentially very bad .. as an example, attackers could use something cheesy like a lot of <img src="http://mysite.com/valuabledocuments/destroy/1"> for 1....99999 on any page to have visiting users destroy all their valuable documents. obviously similar problems apply in terms of the ability to invoke update and create using GET without an explicit verify :method. it seems to me like it would be sensible to provide an option (possibly a default) to verify that restful resources are accessed using only the correct http verbs. one alternative is to have in the ApplicationController: verify :method => :post, :only => [ :post ] verify :method => :put, :only => [ :update ] verify :method => :delete, :only => [ :destroy ] which seems to work ok .. although it breaks the tests for restful_authentication, apparently (yet to look into it) thoughts? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Feb 24, 5:47 am, James Salter <iterat...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> it seems to me like it would be sensible to provide an option > (possibly a default) to verify that restful resources are accessed > using only the correct http verbs. > > one alternative is to have in the ApplicationController: > > verify :method => :post, :only => [ :post ] > verify :method => :put, :only => [ :update ] > verify :method => :delete, :only => [ :destroy ]Or if you delete the default route from routes.rb then you don''t need this. Fred> > which seems to work ok .. although it breaks the tests for > restful_authentication, apparently (yet to look into it) > > thoughts?--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
aha. thanks fred On Feb 24, 7:09 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Feb 24, 5:47 am, James Salter <iterat...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > it seems to me like it would be sensible to provide an option > > (possibly a default) to verify that restful resources are accessed > > using only the correct http verbs. > > > one alternative is to have in the ApplicationController: > > > verify :method => :post, :only => [ :post ] > > verify :method => :put, :only => [ :update ] > > verify :method => :delete, :only => [ :destroy ] > > Or if you delete the default route from routes.rb then you don''t need > this. > > Fred > > > > > > > which seems to work ok .. although it breaks the tests for > > restful_authentication, apparently (yet to look into it) > > > thoughts?--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---