Thomas Counsell
2004-Dec-31 09:53 UTC
Am I opening myself to some security vulnerability if I unprotect the Controller classes'' redirect methods?
Am I opening myself to some security vulnerability if I unprotect the Controller classes'' redirect methods? I merrily wrote a (specific to my university) authentication filter as a separate class. As part of the authentication process it needs to re-direct the user to a university server to log in. This all works fine except that the redirect_to methods of a controller are all protected. This is easy to overcome, but am I likely to make myself vulnerable by having public redirect methods on a controller class? Thanks Tom
Andreas Schwarz
2004-Dec-31 13:56 UTC
Re: Am I opening myself to some security vulnerability if I unprotect the Controller classes'' redirect methods?
Thomas Counsell wrote:> Am I opening myself to some security vulnerability if I unprotect the > Controller classes'' redirect methods? > > I merrily wrote a (specific to my university) authentication filter as a > separate class. As part of the authentication process it needs to > re-direct the user to a university server to log in. This all works > fine except that the redirect_to methods of a controller are all protected.Use controller.send(:redirect_to, arguments).
Eric Hodel
2005-Jan-01 02:42 UTC
Re: Am I opening myself to some security vulnerability if I unprotect the Controller classes'' redirect methods?
On 31 Dec 2004, at 01:53, Thomas Counsell wrote:> Am I opening myself to some security vulnerability if I unprotect the > Controller classes'' redirect methods? > > I merrily wrote a (specific to my university) authentication filter as > a separate class. As part of the authentication process it needs to > re-direct the user to a university server to log in. This all works > fine except that the redirect_to methods of a controller are all > protected. > > This is easy to overcome, but am I likely to make myself vulnerable > by having public redirect methods on a controller class?No. private and protected in Ruby only exist to prevent foot-shooting. class X; private; def a; end; end x = X.new begin x.a rescue NoMethodError puts "nope!" end class X; public :a; end x.a -- Eric Hodel - drbrain-48TerJ1FxhPk1uMJSBkQmQ@public.gmane.org - http://segment7.net FEC2 57F1 D465 EB15 5D6E 7C11 332A 551C 796C 9F04 _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails