similar to: CSRF resets my session in Firefox

I''m setting up a Paypal IPN listener and need the create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail

Dear Rails community, As part of a programming languages/security research group at the University of Maryland, we are building some static analysis tools for Rails applications. These tools work by taking formally specified properties of interest, and then analyzing code to verify that those properties indeed hold. Using these tools, we found some security vulnerabilities in Rails, and we would

I am running a Rails 4 app in semi-production and I constantly get exceptions from crawler bots that use a HEAD HTTP method, which causes the CSRF protection to kick in. Shouldn''t HEAD requests normally be handled like GET requests? I am not sure if I''m just being stupid or that hit is a bug somewhere. Michiel -- You received this message because you are subscribed to the

Hi all, My team and I are finding ourselves a little in the dark about the "CSRF Protection Bypass in Ruby on Rails" vulnerability that was announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails 1. Where is the complete Advisory? The Impact section is very unclear. Looking at the comment in the 2.3 patch mentions "Flash animations and

Hi all, I would like to use page caching on my homepage, but also want to enable people to sign in via a modal dialog sign in form. I could have a setup in which when a user lands on the cached homepage, an Ajax GET request pulls in the whole login form so that there is a fresh authenticity token. That said, besides the additional hit to the server, the CSRF token in the head area of the page

Hi, I just noticed that the auto_complete plugin does not work with the CSRF protection in Rails 2.0. I''ve patched the plugin, but I''m wondering if people would like to see the official plugin fixed. If so, speak up and I will write some tests and submit the patch. Krishna --~--~---------~--~----~------------~-------~--~----~ You received this message because you are

Hallo, I want to test the csrf protection of my application but forgery protection is not working with jquery ajax request. I have used Unobtrusive Javascript with jquery I have removed the <%= csrf_meta_tag %> so that my application do not include authenticity token. In my view I have the following code $(function () { $(''#alert'').click(function () { $.ajax({

When you generate a default Rails app, it puts this in application.html.erb: <%= csrf_meta_tags %> It does this so the remote forms can be submitted--i.e., so JavaScript can submit a form. When jquery-rails is about to submit a form, it looks for the <meta> tags named "csrf-param" and "csrf-token" and from them it constructs a hidden

I''ve tried to install JQuery a couple of times now, and I''ve followed the steps for Rails UJS mentioned here: https://github.com/rails/jquery-ujs The last time I went ahead and added jQuery UI as well: $ rails generate jquery:install --ui remove public/javascripts/prototype.js remove public/javascripts/effects.js remove public/javascripts/dragdrop.js

I''m going to go out on a limb here and say the new CSRF protection in Rails is flawed. Why? Forget about caching if you care to use it. Consider the following: <% cache do %> <%= link_to_remote "Add To Favorites", :url => {:controller => "favorites", :action => "create", "movie_id" => 2} %> <% end %> # Output <a

Hi all, I think CSFR protection broke in rails 2.3.11. As in: it''s turned off now. I tried this in rails 2.3.10 and in 2.3.11 and 2.3.11 seems broken. >rails csrftest >cd csrftest >script/generate scaffold post title:string >rake db:migrate now I visit /posts/new in my browser, use firebug to delete or change the authenticity token, and submit the form. rails 2.3.11: all

Hi folks, I am just getting into rails again after a multi-year stint of mod_perl jobs, which might grant me some newbie-indemnity for the time being - but I''ve found an issue I think warrants discussion. As discussed here - http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html - the CSRF protection feature does not kick in for GET requests. This

Posted this on stack overflow earlier today here<http://stackoverflow.com/questions/13673969/rails-3-2-session-id-nil-until-next-request>, I really either don''t know what I''m doing, or I don''t understand how sessions are supposed to work! I''m connecting to rails from an Air app and communicating with JSON only. When the client sends a login request,

Hi all, I stuck a little bit of information on CSRF on the wiki (http://wiki.rubyonrails.com/rails/show/HowToAvoidCrossSiteRequestForgery) and created a "Security Concerns" page from the home page (http://wiki.rubyonrails.com/rails/show/Security+Concerns) - it would be good to have a single point of information for all know security holes and fixes (even if they aren''t Rails

As most of you would have noticed, we have now had 3 CVE-nominated security issues for SWAT in the past couple of years. At the same time, while I know many of our users use SWAT, we just don't have anybody to maintain it inside the Samba Team. Kai has made a valiant effort to at least apply the XSS and CSRF guidelines when folks make security reports, but by his own admission he isn't a

Hi, I ve got a question concerning delete actions in the new rails 3 world with unobtrusive javascript. How may I perform an "ajax" delete in a list of products. if attribute data-method is specified rails.js handleMethod is called, which adds csrf params into a hidden form and form.submit is called. Works great, but form.submit is nt performed as an ajax request. Using data-remote

hi people I don''t know much about ajax - jquery. And right now I need to use some functionality with them. In a form (sales model) I have the following code: <div> <%= f.label :product_id, "Product" %> <%= f.collection_select( :product_id, Product.all, :id, :name, options={} ) %> </div> <div> <%= f.label :price,

Hi, http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he''d like to read), and again he will get a new token. Then he changes to the first tab again and submits a form

I am trying to send a POST request ( ''remove_tag_named'' )and getting a simple OK back on success ; it doesn''t work.. the post is correctly sent , but after then it''s looping on sending a GET request to the same url, with the error 301 Moved Permanently I should not be far fro the solution, but I am stuck : In my routes.rb *namespace

Hi, i''ve found some questions on the rails blog which haven''t any answer. Because i''m interested too i paste them here: # gonzo on 07 Dec 22:10: Does CSRF protection work with forms that are fully cached? # rugal on 08 Dec 20:14: Great job guys! Just an information about migrations. will t.timestamps create both created_at and updated_at? And for _on ?