Rails core - Jun 2008 - New Request Forgery Protection breaks AtomPub implementations

Rails 2.1 Request Forgery Protection is incompatible with AtomPub 
implementations

New ''verifiable_request_format?'' function 
(action_controller/request_forgery_protection.rb:101) is banning DELETE 
requests,  where request.content_type is nil

It also forbids posting any type of media, like images. This should we solved 
adding every content type to @@unverifiable_types in Mime::Type

Any comments?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

On Jun 20, 2008, at 6:49 PM, Antonio Tapiador del Dujo wrote:
> Rails 2.1 Request Forgery Protection is incompatible with 	
> implementations
>
> New ''verifiable_request_format?'' function
> (action_controller/request_forgery_protection.rb:101) is banning  
> DELETE
> requests,  where request.content_type is nil
>
> It also forbids posting any type of media, like images. This should  
> we solved
> adding every content type to @@unverifiable_types in Mime::Type
>
> Any comments?
A quick workaround would be to turn off forgery protection by removing  
''protect_from_forgery'' from the ApplicationController.

Manfred

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

El Friday 20 June 2008 19:04:04 Manfred Stienstra
escribió:
> On Jun 20, 2008, at 6:49 PM, Antonio Tapiador del Dujo wrote:
> > Rails 2.1 Request Forgery Protection is incompatible with
> > implementations
> >
> > New ''verifiable_request_format?'' function
> > (action_controller/request_forgery_protection.rb:101) is banning
> > DELETE
> > requests,  where request.content_type is nil
> >
> > It also forbids posting any type of media, like images. This should
> > we solved
> > adding every content type to @@unverifiable_types in Mime::Type
> >
> > Any comments?
>
> A quick workaround would be to turn off forgery protection by removing
> ''protect_from_forgery'' from the ApplicationController.
Sure, but I''d like that functionality enabled for common requests

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

On 6/20/08, Antonio Tapiador del Dujo <atapiador@dit.upm.es>
wrote:
>
>  Rails 2.1 Request Forgery Protection is incompatible with AtomPub
>  implementations
>
>  New ''verifiable_request_format?'' function
>  (action_controller/request_forgery_protection.rb:101) is banning DELETE
>  requests,  where request.content_type is nil
Shouldn''t the content type be application/atom+xml?  :atom is in
unverifiable_types.
>  It also forbids posting any type of media, like images. This should we
solved
>  adding every content type to @@unverifiable_types in Mime::Type
>
>  Any comments?
According to the docs, you can skip request forgery protection by
skipping the before_filter:

skip_before_filter :verify_authenticity_token

Do you have any suggestions to make this easier for atompub implementors?

-- 
Rick Olson
http://lighthouseapp.com
http://weblog.techno-weenie.net
http://mephistoblog.com

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

El Sunday 29 June 2008 23:02:58 Rick Olson escribió:
> On 6/20/08, Antonio Tapiador del Dujo <atapiador@dit.upm.es> wrote:
> >  Rails 2.1 Request Forgery Protection is incompatible with AtomPub
> >  implementations
> >
> >  New ''verifiable_request_format?'' function
> >  (action_controller/request_forgery_protection.rb:101) is banning
DELETE
> >  requests,  where request.content_type is nil
>
> Shouldn''t the content type be application/atom+xml?  :atom is in
> unverifiable_types.
I guess it''s set to nil by Rails, because of the request body being
blank.
> >  It also forbids posting any type of media, like images. This should
we
> > solved adding every content type to @@unverifiable_types in Mime::Type
> >
> >  Any comments?
>
> According to the docs, you can skip request forgery protection by
> skipping the before_filter:
>
> skip_before_filter :verify_authenticity_token
This would prevent forgery protection working for HTML requests
> Do you have any suggestions to make this easier for atompub implementors?
I would suggest some kind of white list like Mime::Type@@unverifiable_types 
but for respond_to formats

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---