Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
Ruby on Rails: Security
Home
Pages
Files
About this group
Join this group
Potential Circumvention of CSRF Protection in Rails 2.1
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   1 message - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Michael Koziarski  
View profile  
 More options Nov 18 2008, 1:09 pm
From: "Michael Koziarski" <mich...@koziarski.com>
Date: Tue, 18 Nov 2008 19:09:30 +0100
Local: Tues, Nov 18 2008 1:09 pm
Subject: Potential Circumvention of CSRF Protection in Rails 2.1
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
There is a bug in all 2.1.x versions of Ruby on Rails which affects
the effectiveness of the CSRF protection given by
protect_from_forgery.

By design rails does not does not perform token verification on
requests with certain content types not typically generated by
browsers.  Unfortunately this list also included 'text/plain' which
can be generated by browsers.

Impact
======

Requests can be crafted which will circumvent the CSRF protection
entirely.  Rails does not parse the parameters provided with these
requests, but that may not be enough to protect your application.

Affected Versions
======

* All releases in the 2.1 series
* All 2.2 Pre Releases

Fixes
======

* 2.1.3 and 2.2.2 will contain a fix for this issue.

Interim Workarounds
======

Users of 2.1.x releases are advised to insert the following code into
a file in config/initializers/

  Mime::Type.unverifiable_types.delete(:text)

Users of Edge Rails after 2.2.1, should upgrade to the latest code in
2-2-stable.

The patch for the 2.1.x series is available at:

http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc...

This will also apply cleanly to 2.2 pre-releases prior to the
following changeset:

commit f1ad8b48aae3ee26613b3e77bc0056e120096846
Author: Michael Koziarski <mich...@koziarski.com>
Date:   Thu Nov 13 11:19:53 2008 +0100

Users with edge-rails checkouts after that date, are advised to
upgrade to the latest code in 2-2-stable.

--
Cheers

Koz


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google