If I''m not mistaken, a user can send POST data from outside of a web browser; I think this is something that is done to brute-force form logins, or to automate spam, etc. In my app, which operates like a forum, Comment objects have a boolean attribute "sticky" which determines if that Comment is displayed before all other comments. I was thinking, what would happen if a user forcefully sent "sticky => true" in POST data? I would imagine my app''s new_comment action would simply create a new object from that data and falsely make his or her post a sticky-post. Is this a possibility, and is it something I should be trying to prevent? Just something I recently pondered. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Mar 8, 2007, at 7:49 PM, Anonymous wrote:> If I''m not mistaken, a user can send POST data from outside of a web > browser; I think this is something that is done to brute-force form > logins, or to automate spam, etc.Yes, and often for testing.> In my app, which operates like a forum, Comment objects have a boolean > attribute "sticky" which determines if that Comment is displayed > before > all other comments. > > I was thinking, what would happen if a user forcefully sent "sticky => > true" in POST data? I would imagine my app''s new_comment action would > simply create a new object from that data and falsely make his or her > post a sticky-post. Is this a possibility, and is it something I > should > be trying to prevent? Just something I recently pondered.That is a danger if you''re doing something like: MyModel.create(params[:my_model]) without checking the param values . You probably want to take a look at the attr_protected method: http://rails.rubyonrails.org/classes/ActiveRecord/Base.html#M001005 James. -- James Stewart Play: http://james.anthropiccollective.org Work: http://jystewart.net/process/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Yes, this is the reason for captchas and user-logins. You should be actively thinking about how people can attack your app from both within and without a web browser. If you''re allowing your objects to be modified via POSTs, you should probably authenticate the call first. You have some sort of login system, right? On Mar 9, 8:49 am, Anonymous <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> If I''m not mistaken, a user can send POST data from outside of a web > browser; I think this is something that is done to brute-force form > logins, or to automate spam, etc. > > In my app, which operates like a forum, Comment objects have a boolean > attribute "sticky" which determines if that Comment is displayed before > all other comments. > > I was thinking, what would happen if a user forcefully sent "sticky => > true" in POST data? I would imagine my app''s new_comment action would > simply create a new object from that data and falsely make his or her > post a sticky-post. Is this a possibility, and is it something I should > be trying to prevent? Just something I recently pondered. > > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ah okay, I was right. I was preventing it by: self[:sticky] = nil during before_create. I was previously unaware of attr_protected which is obviously a much cleaner solution. Thanks.> Yes, and often for testing.Sigh. One day I''ll actually learn how to do this. I don''t know why I''ve allowed myself to go so long without. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
You might want to check out this link[1] as well. It cautions about your very problem, and has a few other precautions you can take to harden your application. Nelson [1] http://manuals.rubyonrails.com/read/book/8 Anonymous wrote:> Ah okay, I was right. > > I was preventing it by: self[:sticky] = nil during before_create. I was > previously unaware of attr_protected which is obviously a much cleaner > solution. Thanks. > >> Yes, and often for testing. > Sigh. One day I''ll actually learn how to do this. I don''t know why > I''ve allowed myself to go so long without.-- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---