Potential Circumvention of CSRF Protection in Rails 2.1

80 views
Skip to first unread message

Michael Koziarski

unread,
Nov 18, 2008, 1:09:30 PM11/18/08
to rubyonrail...@googlegroups.com
There is a bug in all 2.1.x versions of Ruby on Rails which affects
the effectiveness of the CSRF protection given by
protect_from_forgery.

By design rails does not does not perform token verification on
requests with certain content types not typically generated by
browsers. Unfortunately this list also included 'text/plain' which
can be generated by browsers.

Impact
======

Requests can be crafted which will circumvent the CSRF protection
entirely. Rails does not parse the parameters provided with these
requests, but that may not be enough to protect your application.

Affected Versions
======

* All releases in the 2.1 series
* All 2.2 Pre Releases

Fixes
======

* 2.1.3 and 2.2.2 will contain a fix for this issue.

Interim Workarounds
======

Users of 2.1.x releases are advised to insert the following code into
a file in config/initializers/

Mime::Type.unverifiable_types.delete(:text)

Users of Edge Rails after 2.2.1, should upgrade to the latest code in
2-2-stable.

The patch for the 2.1.x series is available at:

http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a

This will also apply cleanly to 2.2 pre-releases prior to the
following changeset:

commit f1ad8b48aae3ee26613b3e77bc0056e120096846
Author: Michael Koziarski <mic...@koziarski.com>
Date: Thu Nov 13 11:19:53 2008 +0100

Users with edge-rails checkouts after that date, are advised to
upgrade to the latest code in 2-2-stable.

--
Cheers

Koz

Reply all
Reply to author
Forward
0 new messages