similar to: Protect from forgery for Rest destroy action ???

Hi, I have to enable batch uploads to my website with CURL and forgery protection in ApplicationController is standing in my way. I do use the restful authentication plugin and I do call login_required on all actions. Should I keep forgery protection around? Forgery protection only makes sure that the client request has originated from client''s session, right? Is there anything else

Hi, http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he''d like to read), and again he will get a new token. Then he changes to the first tab again and submits a form

Maybe I am grasping the full usage of this protect_from_forgery function, but it does not seem to work for me. Imagine the following: A simple website with a user that needs to log in to do certain stuff and a closed off admin section that only certain users can access that have the is_admin field set to true. So to be clear, my User model has a login, password and is_admin. When displaying the

Has anybody solved this issue. [ http://rubyforge.org/pipermail/facebooker-talk/2008-April/000552.html ] ? NameError (undefined local variable or method `controller'' for #<LeaveController:0xb7144abc>): /app/controllers/application.rb:24:in `verify_authenticity_token''

Hi all, I am using ajax for some request but when the user session expire, I get a ActionController::InvalidAuthenticityToke error. Do you know how I could trap this error and redirect to the login panel ? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails:

Hi, We would like to create a unique string when a user logs in and pass the string between actions. Each user can compare the incoming string with the one stored in the session to assert whether the request is coming from within the application or from a malicious external source. What mechanism can we use to pass this string around? Passing as params to the actions ,may not be an option as

Hi, I just created a new Rails app that will be receiving some POSTed data from the outside so it must skip the verify_authenticity_token for some create actions. Although I have added: skip_before_filter :verifiy_authenticity_token I still get InvalidAuthenticityToken. In one of my other Rails app (created back in Rails 1.2.6 and updated to 2.3.2 over time) this skipping works perfectly though,

Hi all, I stuck a little bit of information on CSRF on the wiki (http://wiki.rubyonrails.com/rails/show/HowToAvoidCrossSiteRequestForgery) and created a "Security Concerns" page from the home page (http://wiki.rubyonrails.com/rails/show/Security+Concerns) - it would be good to have a single point of information for all know security holes and fixes (even if they aren''t Rails

function testUnescapeHTML() { var testString = "<div>&lt;a hrer="#"&gt;test&lt;/a&gt;</div>" } this simple test function return string "<div><a href="#">test</a></ div>" under internet explorer,and return "<a herf="#">test</a>" under firefox(strip <div> pair), how can

Release Announcements ===================== Samba 3.5.10, 3.4.14 and 3.3.16 are security releases in order to address CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT). o CVE-2011-2522: The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 3.5.9 are affected by a cross-site request forgery. o CVE-2011-2694:

Release Announcements ===================== Samba 3.5.10, 3.4.14 and 3.3.16 are security releases in order to address CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT). o CVE-2011-2522: The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 3.5.9 are affected by a cross-site request forgery. o CVE-2011-2694:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:12.ftpd Security Advisory The FreeBSD Project Topic: Cross-site request forgery in ftpd(8) Category: core Module: ftpd Announced:

Hello people In my rails 3.0.9 app I''m trying to add nested attributes dynamically, but I don''t want to use "nested form gem" So I found this example https://github.com/alloy/complex-form-examples/blob/a234fde4419836f277d7e340657f1d8418911d68/app/helpers/projects_helper.rb but this code doesn''t work module ProjectsHelper def

I''m setting up a Paypal IPN listener and need the create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail

On Sun 21 Mar 2004 - 02:58:46 EST - James Couzens wrote: > Mail coming from motherfish-II.xiph.org is likely getting dropped due to > the following (which I pulled out of the headers of a piece of mail > after wondering where all my speex email suddenly disappeared off to: > > 2.8 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server - > [198.136.36.245 listed in

> On 15 Jul 2019, at 18:11, Trever L. Adams via dovecot <dovecot at dovecot.org <https://dovecot.org/mailman/listinfo/dovecot>> wrote: > >/So, one of the problems I am seeing is that people are trying to fake />/users into revealing information by sending from an outside domain but />/with an internal reply to address and claiming to be administration, IT />/or what

Hi all, I have the following helper method: def collapsible_fragment(collapsed, &block) html = ''<div>'' html << capture(&block) if( block_given? && !collapsed) html << ''</div>'' Binding.of_caller do |binding| concat(html, binding) end

Greetings from Softonic, We just wanted to let you know that Speex has recently been added to our online software listing. You can see the entry for your program here: http://en.softonic.com/ie/42915 Softonic is the largest download portal in Europe and the only one in the world offering free software downloads and reviews for the Spanish, German and English speaking markets. Feedback We

Hey. I'm also a bit concerned about this issue... On Tue, 2019-01-22 at 13:48 +1100, Damien Miller wrote: > Don't use > scp with untrusted servers. But that would effectively mean one has to toss scp. Reality is simply that most peers cannot be really trusted? just imagine all the administration work which is done from some user/admin's computer to countless servers (running

Hi all, Sometime, I get the following error in my application: ActionController::InvalidAuthenticityToken in ManageController#site_servers ActionController::InvalidAuthenticityToken I tried to put the code in manage controller between begin ... rescue ... end but it didn''t catch the error. So I tried in the application.rb controller, I put the forgery code between begin ... rescue ...