Hello all!
On reading this after sleeping, I was shocked by
how little I said about the use of this. Let me
explain:
in view:
<%= link_to ''Delete'', :controller =>
''users'',
:action => :delete,
:id => @user,
:secure => true %>
Will generate a link similar to this:
http://0.0.0.0:3000/users/delete/1?
security=7382038b2148cdc312c5a3fbaaf6bd427cd42511
And, if that controller and method have
before_filter :check_security
Then the link would only be allowed if it had not been
changed by the user, else it would redirect to a fixed
controller and action.
That eliminates the need to be obsessive about verifying
that the session identified user actually owns the
account number 1, since the end user could not have
modified the URL or generated a new one of their own.
This is just proto code, it''s just feedback on the idea
that I''m interested in.
Thanks!
--
-- Tom Mornini
On Sep 21, 2005, at 7:32 PM, Tom Mornini wrote:
> New to Rails, just getting the hang of things.
>
> In the past (Perl) I''ve used crypto hashed links
> as a way to avoid needing to be concerned about
> trusting data provided by both GET and POST data.
> In GET requests, it''s the URL in question, and
> in POST data, hidden fields.
>
> Since the Rails way passes a lot of information
> in the URL, this seems a likely vector for
> security problems. I was delighted to see it
> discussed in the excellent Pragmatic Rails book,
> as it seems whenever I mention this problem,
> most people seem to unaware of the problem.
>
> Vigilance helps, but isn''t a solution.
>
> Last night I hashed out some basic code. I wanted
> to run it by the community and see what everyone
> thought.
>
> If it passes scrutiny, I''ll figure out how to
> bundle it up as a gem. Or, perhaps, we could
> use it in the framework itself.
>
> The only non-technical issue I see is that it
> breaks the Rails philosophy of pretty URLs.
>
> in application.rb:
>
> # Before filter
>
> def check_security
> path_info = @request.env[''PATH_INFO'']
> sess_sec = session[:security] || ''''
>
> p_sec = params[:security] || ''''
> u_sec = Digest::SHA1.hexdigest(path_info + sess_sec)
>
> if p_sec != u_sec
> logger.info(''SECURITY: path_info ='' + path_info)
> logger.info(''SECURITY: sess_sec ='' + path_info)
> logger.info(''SECURITY: p_sec='' + p_sec +
'', u_sec='' + u_sec)
> redirect_to :controller => ''index'', :action
=>
> ''security_violation''
> end
>
> key = Time.now.to_s
>
> 1.upto(8) { key += rand.to_s }
>
> session[:security] = Digest::SHA1.hexdigest(key)
> end
>
> # Override for Rails frameword method
>
> def url_for(params)
> logger.info params.inspect
> if params[:secure]
> params.delete(:secure)
> url = super
> url += ''?security='' + Digest::SHA1.hexdigest(url +
session
> [:security])
> else
> super
> end
> end
>
> --
> -- Tom Mornini
>
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>