Hello there, While working on a project, I notice something very weird :S If I type this in the URL http://localhost:3000/my/friends/index/5 it changed all the URL :S:S:S:S http://localhost:3000/my/friends/index/5?group=Friends My link_to is very simple <%= link_to group.name, :group => group.name %> This way Rubyonrails will open security issues in my application :S like cross site scripting??? How do I prevent this and thanks for your help. PS: I know I can add to my link_to :id => nil, but I cannot do this to every single link_to in this project :S -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
i don''t understand what you''re asking... do you not want the id ''5'' to appear in the url? On Oct 12, 11:32 am, Jamal Soueidan <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Hello there, > > While working on a project, I notice something very weird :S > > If I type this in the URLhttp://localhost:3000/my/friends/index/5 > > it changed all the URL :S:S:S:Shttp://localhost:3000/my/friends/index/5?group=Friends > > My link_to is very simple > <%= link_to group.name, :group => group.name %> > > This way Rubyonrails will open security issues in my application :S like > cross site scripting??? > > How do I prevent this and thanks for your help. > > PS: I know I can add to my link_to :id => nil, but I cannot do this to > every single link_to in this project :S > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Jeff Emminger wrote:> i don''t understand what you''re asking... do you not want the id ''5'' to > appear in the url? > > > On Oct 12, 11:32 am, Jamal Soueidan <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>I want it to ignore whatever comes after index :) -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Unless you use those params in yr method [and you''d have to write code to use them, so you''d know it] they''re not being used anyhow. RSL On 10/14/07, Jamal Soueidan <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Jeff Emminger wrote: > > i don''t understand what you''re asking... do you not want the id ''5'' to > > appear in the url? > > > > > > On Oct 12, 11:32 am, Jamal Soueidan <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> > > I want it to ignore whatever comes after index :) > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
RSL ___ wrote:> Unless you use those params in yr method [and you''d have to write code > to use them, so you''d know it] they''re not being used anyhow. > > RSLWell, that''s the problem, I don''t use them inside my application, but the rails framework embedded the ID automatic? I have to assign :id => nil so it ignore it -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Allow me to reiterate: Unless you specifically use them in your controller methods, extra params on the url will _not_ be used and do _not_ pose a security threat. Hope that clears things up. RSL On 10/14/07, Jamal Soueidan <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > RSL ___ wrote: > > Unless you use those params in yr method [and you''d have to write code > > to use them, so you''d know it] they''re not being used anyhow. > > > > RSL > > Well, that''s the problem, I don''t use them inside my application, but > the rails framework embedded the ID automatic? > > I have to assign :id => nil so it ignore it > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Oct 14, 7:28 am, "Russell Norris" <r...-ftMzyaTR+bHNyFkoKTPOtdi2O/JbrIOy@public.gmane.org> wrote:> Allow me to reiterate: Unless you specifically use them in your > controller methods, extra params on the url will _not_ be used and do > _not_ pose a security threat. Hope that clears things up. > > RSL > > On 10/14/07, Jamal Soueidan <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote: > > > > > RSL ___ wrote: > > > Unless you use those params in yr method [and you''d have to write code > > > to use them, so you''d know it] they''re not being used anyhow. > > > > RSL > > > Well, that''s the problem, I don''t use them inside my application, but > > the rails framework embedded the ID automatic? > > > I have to assign :id => nil so it ignore it > > -- > > Posted viahttp://www.ruby-forum.com/.Yah, but: (Sorry, I have to say this.) A dev who''s unclear on how his routes/URLs are generated, that''s a security issue. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 10/12/07, Jamal Soueidan <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Hello there, > > While working on a project, I notice something very weird :S > > If I type this in the URL > http://localhost:3000/my/friends/index/5 > > it changed all the URL :S:S:S:S > http://localhost:3000/my/friends/index/5?group=Friends > > My link_to is very simple > <%= link_to group.name, :group => group.name %> > > This way Rubyonrails will open security issues in my application :S like > cross site scripting???Huh? how so?> > How do I prevent this and thanks for your help.Add your controller, with a leading slash. That will prevent defaults from being used in your link: <%= link_to group.name, :controller => ''/my/friends'', :group => group.name %> This is documented at ActionController::Base#url_for. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Oct 14, 7:47 am, gene tani <gene.t...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Oct 14, 7:28 am, "Russell Norris" <r...-ftMzyaTR+bHNyFkoKTPOtdi2O/JbrIOy@public.gmane.org> wrote: > > > > > Allow me to reiterate: Unless you specifically use them in your > > controller methods, extra params on the url will _not_ be used and do > > _not_ pose a security threat. Hope that clears things up. > > > RSL > > > On 10/14/07, Jamal Soueidan <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote: > > > > RSL ___ wrote: > > > > Unless you use those params in yr method [and you''d have to write code > > > > to use them, so you''d know it] they''re not being used anyhow. > > > > > RSL > > > > Well, that''s the problem, I don''t use them inside my application, but > > > the rails framework embedded the ID automatic? > > > > I have to assign :id => nil so it ignore it > > > -- > > > Posted viahttp://www.ruby-forum.com/. > > Yah, but: (Sorry, I have to say this.) A dev who''s unclear on how his > routes/URLs are generated, that''s a security issue.Let me try to actually be helpful, since I can''t figure out where the param''s coming from either: I started David Black''s PDF mini-book on routing, it''s quite good, tho i forgot to bring it with me : http://www.bookpool.com/sm/0132417995 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---