Gaspard Bucher
2006-Mar-01 14:42 UTC
[Rails] Security issue: a user can fill cache with random urls
Say your app responds to : store/show/3 and caching is enable at the store controller level. A route says : map.connect ''store/:action/:id'', :controller => ''store'' All the following urls will be processed and cached (the cache filling with ''page not found'' messages) ! store/foo/bar store/show/090934298234897342 store/show/090934598234897347 store/show/090934294234897341 store/show/090934298234897343 ... How can I avoid this ? Is there a way to disable caching ''on the fly'', saying to rails : this page is an error, do not cache it. Thank you for your help. Gaspard
Kent Sibilev
2006-Mar-01 16:10 UTC
[Rails] Security issue: a user can fill cache with random urls
Submit a patch ticket. Something like
Index: actionpack/lib/action_controller/caching.rb
==================================================================---
actionpack/lib/action_controller/caching.rb (revision 3716)
+++ actionpack/lib/action_controller/caching.rb (working copy)
@@ -129,6 +129,7 @@
# cache_page "I''m the cached content", :controller
=>
"lists", :action => "show"
def cache_page(content = nil, options = {})
return unless perform_caching && caching_allowed
+ return if content.nil? &&
@response.headers[''Status''] &&
!(200...300).include?(@response.headers[''Status''].to_i)
self.class.cache_page(content || @response.body,
url_for(options.merge({ :only_path => true, :skip_relative_url_root =>
true })))
end
--
Kent
On 3/1/06, Gaspard Bucher <g.bucher@teti.ch>
wrote:> Say your app responds to : store/show/3 and caching is enable at the
> store controller level.
>
> A route says : map.connect ''store/:action/:id'',
:controller => ''store''
>
>
> All the following urls will be processed and cached (the cache
> filling with ''page not found'' messages) !
>
> store/foo/bar
> store/show/090934298234897342
> store/show/090934598234897347
> store/show/090934294234897341
> store/show/090934298234897343
> ...
>
> How can I avoid this ?
>
> Is there a way to disable caching ''on the fly'', saying to
rails :
> this page is an error, do not cache it.
>
> Thank you for your help.
>
> Gaspard
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
Ćukasz Piestrzeniewicz
2006-Mar-01 16:16 UTC
[Rails] Security issue: a user can fill cache with random urls
On 01/03/06, Gaspard Bucher <g.bucher@teti.ch> wrote:> Say your app responds to : store/show/3 and caching is enable at the > store controller level. > All the following urls will be processed and cached (the cache > filling with ''page not found'' messages) ! > How can I avoid this ? > Is there a way to disable caching ''on the fly'', saying to rails : > this page is an error, do not cache it.I conditionally enable page caching for found pages only. def show @page = Page.find(param[:id]) if @page render ... cache_page else render error page end end -- ?ukasz Piestrzeniewicz http://ragnarson.blogspot.com
Gaspard Bucher
2006-Mar-01 16:20 UTC
[Rails] Security issue: a user can fill cache with random urls
It''s that simple ! Thanks, I didn''t know about the cache_page function. Gaspard> On 01/03/06, Gaspard Bucher <g.bucher@teti.ch> wrote: >> Say your app responds to : store/show/3 and caching is enable at the >> store controller level. >> All the following urls will be processed and cached (the cache >> filling with ''page not found'' messages) ! >> How can I avoid this ? >> Is there a way to disable caching ''on the fly'', saying to rails : >> this page is an error, do not cache it. > > I conditionally enable page caching for found pages only. > > def show > @page = Page.find(param[:id]) > if @page > render ... > cache_page > else > render error page > end > end > > -- > ?ukasz Piestrzeniewicz > http://ragnarson.blogspot.com > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails