Displaying 20 results from an estimated 48 matches for "csrf".
Did you mean:
csr0
2013 Jan 22
2
Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?
I am running a Rails 4 app in semi-production and I constantly get
exceptions from crawler bots that use a HEAD HTTP method, which causes the
CSRF protection to kick in.
Shouldn''t HEAD requests normally be handled like GET requests?
I am not sure if I''m just being stupid or that hit is a bug somewhere.
Michiel
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" gr...
2010 Jul 08
2
rspec-rails how to selectively turn on csrf protection for controller specs?
I''m setting up a Paypal IPN listener and need the create action to not
use rails'' default CSRF protection.
I''ve got that working fine & test it actually works with cucumber
(where I''ve turned CSRF back on, since it''s full-stack testing) but
would like my controller spec to mention the need for
protect_from_forgery :except => [:create] (and fail when it'...
2011 Feb 11
11
CSRF protection in rails 2.3.11
Hi all,
I think CSFR protection broke in rails 2.3.11.
As in: it''s turned off now.
I tried this in rails 2.3.10 and in 2.3.11 and 2.3.11 seems broken.
>rails csrftest
>cd csrftest
>script/generate scaffold post title:string
>rake db:migrate
now I visit /posts/new in my browser, use firebug to delete or change
the authenticity token, and submit the form.
rails 2.3.11: all fine, new post saved
rails 2.3.10: ActionController::InvalidAuthenticityToken...
2013 Jan 09
4
CSRF resets my session in Firefox
Hello all,
I''ve been trying to diagnose an issue with CSRF and Firefox
specifically. I''ve got an ajax based form, using UJS (yes, I have
csrf_meta_tag in my layout and I''ve tried adding the X-CSRF-Token header
to the ajax beforeSend events without any luck)... The form just posts
some data to an ajax method that creates, saves, and sets t...
2009 Oct 17
3
Security problems with CookieStore and CSRF protection
...aware of this problem? How many actually use
ActiveRecordStore instead of CookieStore? If the latter is by far the
most common mode, then we believe that default should be
ActiveRecordStore, as it is much less susceptible to this problem.
(Session ids are usually not stateful in a bad way.)
2. The CSRF protection, at least in Rails 2.2.2, seems too weak. Rails
comes close to implementing a fix, by embedding and checking hidden
tokens (for POST requests). But it is well-known that for such a fix
to work, the tokens should be session-specific. Unfortunately, we
found that the implementation in 2.2....
2011 Aug 28
1
Page Caching, CSRF, and Loading a form via Ajax
...ut also want to
enable people to sign in via a modal dialog sign in form. I could
have a setup in which when a user lands on the cached homepage, an
Ajax GET request pulls in the whole login form so that there is a
fresh authenticity token.
That said, besides the additional hit to the server, the CSRF token in
the head area of the page could be different (left over in the page
cache from another user).
I''m guessing that loading a form like this through ajax is not
advisable, but since it works and most people hit the site without
signing in, I''m wondring why not just load the...
2011 Feb 09
2
CSRF Protection Bypass in Ruby on Rails - I don't get it ...
Hi all,
My team and I are finding ourselves a little in the dark about the
"CSRF Protection Bypass in Ruby on Rails" vulnerability that was
announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
1. Where is the complete Advisory? The Impact section is very unclear.
Looking at the comment in the 2.3 patch mentions "Flash a...
2007 Oct 23
6
Auto complete plugin and CSRF protection-- do you care?
Hi,
I just noticed that the auto_complete plugin does not work with the
CSRF protection in Rails 2.0. I''ve patched the plugin, but I''m
wondering if people would like to see the official plugin fixed. If
so, speak up and I will write some tests and submit the patch.
Krishna
--~--~---------~--~----~------------~-------~--~----~
You received this message be...
2008 Jan 23
2
CSRF / cached authenticity tokens / ajax requests
I''m going to go out on a limb here and say the new CSRF protection in
Rails is flawed. Why? Forget about caching if you care to use it.
Consider the following:
<% cache do %>
<%= link_to_remote "Add To Favorites", :url => {:controller =>
"favorites", :action => "create", "movie_id" => 2} %&...
2014 May 03
0
Putting form_authenticity_token (csrf token) in a cookie instead of in meta tags?
When you generate a default Rails app, it puts this in
application.html.erb:
<%= csrf_meta_tags %>
It does this so the remote forms can be submitted--i.e., so JavaScript can
submit a form. When jquery-rails is about to submit a form, it looks for
the <meta> tags named "csrf-param" and "csrf-token" and from them it
constructs a hidden "authentic...
2012 Dec 03
2
Rails 3.2 session id nil until next request
...e server makes sure the username &
password match, then it does session[:user_id] = user.id, creating the
session. But before I send back the login response,
request.session_options[:id] is nil, so I seem to have no way of telling
the client was his session id is.
I did manage to get the CSRF token sent with the login response, which the
client sends on subsequent requests. On these subsequent requests, the
session id is actually found in request.session_options[:id], so it must be
working, just not in the order I expected.
So maybe I''m misunderstanding how this is suppose...
2010 Sep 04
0
CSRF protection not working with jquery ajax post request
Hallo,
I want to test the csrf protection of my application but forgery
protection is not working with jquery ajax request.
I have used Unobtrusive Javascript with jquery
I have removed the
<%= csrf_meta_tag %>
so that my application do not include authenticity token.
In my view I have the following code
$(function () {...
2010 Apr 01
4
POST-only logic in protect_from_forgery considered harmful?
...ls again after a multi-year stint of
mod_perl jobs, which might grant me some newbie-indemnity for the time
being - but I''ve found an issue I think warrants discussion.
As discussed here - http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html
- the CSRF protection feature does not kick in for GET requests. This
is under the assumption that GET requests are idempotent.
There is a (big, IMO) problem with this: unless the controller action
which receives the POST request manually validates that the request is
a POST as expected, it is wide open to C...
2005 May 12
1
Cross-site Request Forgery
Hi all,
I stuck a little bit of information on CSRF on the wiki
(http://wiki.rubyonrails.com/rails/show/HowToAvoidCrossSiteRequestForgery)
and created a "Security Concerns" page from the home page
(http://wiki.rubyonrails.com/rails/show/Security+Concerns) - it would
be good to have a single point of information for all know security
holes...
2013 Feb 18
4
PROPOSAL: Remove SWAT in Samba 4.1
...you would have noticed, we have now had 3 CVE-nominated
security issues for SWAT in the past couple of years.
At the same time, while I know many of our users use SWAT, we just don't
have anybody to maintain it inside the Samba Team. Kai has made a
valiant effort to at least apply the XSS and CSRF guidelines when folks
make security reports, but by his own admission he isn't a web developer
- none of us are!
There are many other parts of Samba that have not been substantially
maintained in years, but few have the level of security exposure that
SWAT does (most are bits of library and ut...
2005 May 06
17
FYI: watch out for google's web accelerator - can empty your app of data
Hi All,
A co-worker passed this info on to me:
http://37signals.com/svn/archives2/google_web_accelerator_hey_not_so_fast_an_alert_for_web_app_designers.php
The Skinny: Google has a "Web Accelerator" that pre-caches pages by
following url''s. If you have any plain/simple URL''s that don''t take
paramaters (like what often happens in rails apps), it will try to
2008 Feb 07
4
text_field_with_auto_complete
I have the following in my view:
<% form_tag :action => ''detail'' do %>
Search for Sales Order Number:<br />
<%= text_field_with_auto_complete :sales_order, :id %>
<%= submit_tag " Go "%>
<% end %>
And I have the following in my controller:
auto_complete_for :sales_order, :id
This worked fine in 1.5, but
2013 Mar 24
6
forgery protection for multiple browser tabs
Hi,
http://apidock.com/rails/ActionController/RequestForgeryProtection only
maintains one CSRF token at a time. When a user visits some site, he gets a
new token in the session. He then might open a linked site of the same
rails app in a new browser tab (maybe some info he''d like to read), and
again he will get a new token. Then he changes to the first tab again and
submits a fo...
2010 Sep 21
7
Ajax CSRF in Rails3
I''m using rails3. It does not seem to check the authenticity_token
when doing a POST using Ajax. I traced this to:
module ActionDispatch
class Request < Rack::Request
.....
def forgery_whitelisted?
get? || xhr? || content_mime_type.nil? || !
content_mime_type.verify_request?
end
end
so you don''t check if its a get? or a xhr? (ie ajax request). Is this
correct?
--
2008 Apr 15
4
InvalidAuthenticityToken exception when deleting cookies
Hello,
I''ve been testing my project with some manual tests. One of them
consists of deleting cookies ("clean personal info" in firefox) just
before submit the login form. Then, I get an error.
The error message is: ActionController::InvalidAuthenticityToken in
SessionsController#create
I''m on Rails 2.0.2 with restful_authentication plugin. I''m using