similar to: How to counter Cross Site Request Forgery?

Hi all, I stuck a little bit of information on CSRF on the wiki (http://wiki.rubyonrails.com/rails/show/HowToAvoidCrossSiteRequestForgery) and created a "Security Concerns" page from the home page (http://wiki.rubyonrails.com/rails/show/Security+Concerns) - it would be good to have a single point of information for all know security holes and fixes (even if they aren''t Rails

Hi We have a search website where the user can type in individual words separated by spaces and/or phrases enclosed in single or double quotes. We are looking for a way to obtain a list of words and phrases from the search string. Can someone help? Thanks, Yash -- Posted via http://www.ruby-forum.com/.

Hi, I have to enable batch uploads to my website with CURL and forgery protection in ApplicationController is standing in my way. I do use the restful authentication plugin and I do call login_required on all actions. Should I keep forgery protection around? Forgery protection only makes sure that the client request has originated from client''s session, right? Is there anything else

Hi, I just created a new Rails app that will be receiving some POSTed data from the outside so it must skip the verify_authenticity_token for some create actions. Although I have added: skip_before_filter :verifiy_authenticity_token I still get InvalidAuthenticityToken. In one of my other Rails app (created back in Rails 1.2.6 and updated to 2.3.2 over time) this skipping works perfectly though,

Hi !! I''m reading the rails guides about security, i had a question about the forgery protection If we consider a standard Restful resource ( generated with scaffold for example ), the update and create actions are protected from forgery attacks thanks to the authenticity token, but what about the destroy method ?? <a href="/posts/2"

We have tables Users and Communities linked by has_an_belongs_to_many. The join table Communities_Users has additional fields [ is_active, is_blocked, join_date] etc. These are populated using @user.push_with_attributes(:is_active => true,...). Later on how do we update or retrieve the attributes in the link table for a given user or a community with doing it explicitly using SQL? Thanks,

Hi, I would like to start running a background procedure once a user logs in to his account on the website. For this I am considering using the RailsCron object. However, I am not able to download it. I am new to Rails. Can someone give me the excat command I should use to get RailsCron? Can someone suggest a better way of running a procedure in the background? Thanks -Yash -- Posted via

Maybe I am grasping the full usage of this protect_from_forgery function, but it does not seem to work for me. Imagine the following: A simple website with a user that needs to log in to do certain stuff and a closed off admin section that only certain users can access that have the is_admin field set to true. So to be clear, my User model has a login, password and is_admin. When displaying the

Hi, I know that ActionController::AbstractRequest provides a raw_post method that reads the data that has been posted to the HTTP server as raw data. I am trying to create a rails application that POSTs raw XML data to a web page that reads raw data. I would like to know how to POST raw data to an HTTP server using Ruby on Rails. Can you help me with this? Thanks, Yash -- Posted via

Hi, I am writing a client-server rails app. The client and server maintain similar databases. Periodically, I would like them to synchronize their databases. For this, in the application, once the user logs in, I want to spawn a background process at the client that first sends the client''s new data and then receives the server''s new data. I am thinking of using RailsCron for

On Wed, Aug 12, 2015 at 3:39 AM, Proxy One <proxy-one at mail.ru> wrote: > Is there way to use curl for testing? I'm getting new line because of > the single quote inside string and escaping it with back slash gives me > bash: syntax error near unexpected token `<' You can use curl's -K option which lets you stick arguments in a file, helpful for getting around shell

Hi, I would like to run a DOS command such as "net send ..." when I start the rails application using script\server. Can you please tell me where I need to put the call? Is it environment.rb by any chance? -Yash -- Posted via http://www.ruby-forum.com/.

Has anybody solved this issue. [ http://rubyforge.org/pipermail/facebooker-talk/2008-April/000552.html ] ? NameError (undefined local variable or method `controller'' for #<LeaveController:0xb7144abc>): /app/controllers/application.rb:24:in `verify_authenticity_token''

Hi all, I am using ajax for some request but when the user session expire, I get a ActionController::InvalidAuthenticityToke error. Do you know how I could trap this error and redirect to the login panel ? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails:

Hi, http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he''d like to read), and again he will get a new token. Then he changes to the first tab again and submits a form

When is it possible to set <script>while(true){}</script> as the value of project.name, what it the best way to escape the output of the following? <td><%= project.name %></td> Dennis Byrne -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060713/bbdedb86/attachment.html

On 2015-Aug-11 19:57, Ellen Shull wrote: > On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one at mail.ru> wrote: > > > I haven't used <Location /perl-status> but Trustwave still finds me > > vulnerable. > > > [...] > > Response: HTTP/1.1 404 Not Found > > You clearly aren't serving perl-status; that's a red herring here. Indeed,

Hi, In our project, we have a number of forms to be filled by the users. The forms are presented as wizards - each form as a number of steps. I would like to know whether there is an existing helper developed by the Rails community that can let me create wizards easily. We also want all wizards to have the same look and feel. Thanks, Yash -- Posted via http://www.ruby-forum.com/.

Hi, I have @result_pages and @results obtained from paginate in an action. I want to show the pages as 1 | 2 | 3 | 4 > The fifth page will show: < 5 | 6 | 7 | 8 > and so on. How exactly do I render the paginator to give this effect? I guess I will have to use pagination_links_each. But being new to Rails, I need help. Thanks, Yash -- Posted via http://www.ruby-forum.com/.

This is in preparation of an upcoming patch changing how we keep track of the defs. Signed-off-by: Tobias Klausmann <tobias.johannes.klausmann at mni.thm.de> --- src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp b/src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp