similar to: CSRF protection in rails 2.3.11

Hi all, My team and I are finding ourselves a little in the dark about the "CSRF Protection Bypass in Ruby on Rails" vulnerability that was announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails 1. Where is the complete Advisory? The Impact section is very unclear. Looking at the comment in the 2.3 patch mentions "Flash animations and

I''m setting up a Paypal IPN listener and need the create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail

Hi folks, I am just getting into rails again after a multi-year stint of mod_perl jobs, which might grant me some newbie-indemnity for the time being - but I''ve found an issue I think warrants discussion. As discussed here - http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html - the CSRF protection feature does not kick in for GET requests. This

I have the following in my view: <% form_tag :action => ''detail'' do %> Search for Sales Order Number:<br /> <%= text_field_with_auto_complete :sales_order, :id %>&nbsp; <%= submit_tag " Go "%> <% end %> And I have the following in my controller: auto_complete_for :sales_order, :id This worked fine in 1.5, but

Dear Rails community, As part of a programming languages/security research group at the University of Maryland, we are building some static analysis tools for Rails applications. These tools work by taking formally specified properties of interest, and then analyzing code to verify that those properties indeed hold. Using these tools, we found some security vulnerabilities in Rails, and we would

Hi, First, I am very new to using Pigeonhole/Sieve with Dovecot and I am struggling with a problem which could be easy to solve but is just a lack of understanding on my end... We use a simple system for routing emails to different email users by postfixing the addresses with the actual user: xxxJohn at domain; yyyJohn at domain etc all will be delivered to user John. (This way John can

Hi there, I have my first Rails app running and I regularly get the following "logged_exception" error message: "ActionController::InvalidAuthenticityToken" Has anybody an idea what might cause this problem? Could it somehow be a "time out" error (like an "AuthenticityToken" which might expire after a certain time, or something along those lines)? Any

I''m using puppet 0.25.1. I''ve got a simple resource: exec { "/bin/ls $oracle_base/dba/bin/database_backup.ksh": logoutput => on_failure, } and I don''t want it to log every time it''s successfully run: $ sudo tail -F /var/log/messages | grep puppetd Feb 17 16:36:11 test puppetd[26614]: (//my_module/Exec[/bin/ls /u01/

Can I get some +1s for this tiny patch? It fixes ActiveRecordHelper::form, which is broken by default in new applications created with Rails 2.0. http://dev.rubyonrails.org/ticket/10739 Jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to

Hi all, It looks like Dovecot 1.0rc7 reports the wrong content-type for messages with only a text/html body. An example of such a message is: --- From: mathijs at izecom.com Subject: test To: foobar at example.com Content-Type: text/html; test --- When I talk IMAP to Dovecot directly using telnet and fetch the bodystructure of this message, Dovecot replies: * 1 FETCH (BODYSTRUCTURE

I have an Infortrend RAID box I'd like to see as one big 6TB partition, but I only can get 2.2TB partitions to work. I was trying to do this with an Adaptec controller but apparently they are only (any of them) 48 bits wide. Does anybody have a working system for SCSI/Centos over 2.2TB? Milt Mallory Topix.com 650-461-8316 Always consider the issues of progressive enhancement and

I am running a Rails 4 app in semi-production and I constantly get exceptions from crawler bots that use a HEAD HTTP method, which causes the CSRF protection to kick in. Shouldn''t HEAD requests normally be handled like GET requests? I am not sure if I''m just being stupid or that hit is a bug somewhere. Michiel -- You received this message because you are subscribed to the

This patch adds the seatbelts which _only_ kill parent sshd procs... -RMallory (eg: when you ssh into a machine and pkgadd the new openssh, it will not kill your current (or anyone else's sshd session) onanother_note: the buildpkg.sh could use some exec_prefix functionality... to deal with ./configure --prefix= --exec_prefix=/usr *** bak/opensshd.in Fri Oct 19 13:36:24 2001 ---

I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having some trouble with protect_from_forgery. I had protect_from_forgery set in application_controller.rb, but run some uploadify ajax stuff in one of my controllers, where I had protect_from_forgery, :except => :add_file set. In rails 3 I''m getting ActionController::InvalidAuthenticityToken on the ajax

Hi, http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he''d like to read), and again he will get a new token. Then he changes to the first tab again and submits a form

Hello all, I''ve been trying to diagnose an issue with CSRF and Firefox specifically. I''ve got an ajax based form, using UJS (yes, I have csrf_meta_tag in my layout and I''ve tried adding the X-CSRF-Token header to the ajax beforeSend events without any luck)... The form just posts some data to an ajax method that creates, saves, and sets the session for a shopper as

I am starting to BDD. When specing the controller I want to test for object creation: it "deberia crear una nueva persona en post create" do Usuario.should_receive(:create).with({:nombre => "camilo", :clave => "secreta", :tipo => "administrador"}).and_return(@usuario) post ''create'', {:usuario => {:nombre =>

Hi, I just noticed that the auto_complete plugin does not work with the CSRF protection in Rails 2.0. I''ve patched the plugin, but I''m wondering if people would like to see the official plugin fixed. If so, speak up and I will write some tests and submit the patch. Krishna --~--~---------~--~----~------------~-------~--~----~ You received this message because you are

Posted this on stack overflow earlier today here<http://stackoverflow.com/questions/13673969/rails-3-2-session-id-nil-until-next-request>, I really either don''t know what I''m doing, or I don''t understand how sessions are supposed to work! I''m connecting to rails from an Air app and communicating with JSON only. When the client sends a login request,

I have the following exec in my manifest : exec { some_exec: path => [ "/bin","/usr/bin","/usr/local/bin" ], command => "EXECUTE COMMAND 1", onlyif => "EXECUTE COMMAND 2", logoutput => "on_failure" } I want that the "COMMAND 1" should be executed by "USER 1" and "COMMAND 2"