There has been a discussion about whether to untaint or not. A string becomes tainted in Ruby when it comes from an external source, for example. The standard Ruby method untaint marks it as untainted. Plugins such as SafeErb do not allow the programmer to output tainted strings (in Erb) in order to protect the […]
Tags: Rails · Uncategorized · XSS and Rails
There is a problem with InvalidAuthenticityToken errors that are raised in the methods for the in_place_editing plugin. This happens in Rails 2.0.2 (and possibly earlier versions). It's because there is no authenticity_token sent at all. You can apply this patch until there is a new version out.
If you have something like this:
<%= in_place_editor("title", {:url => […]
Tags: Uncategorized
Update: See this comment for how to fix problems with HelperMethods.
You might have noticed that the SafeErb plugin does not work in Rails 2 applications. That is because of old method signatures used in the plugin. The author has put up a blog post (in japanese) about a new version created by Aaron Bedra which […]
Tags: Uncategorized
The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077. You should upgrade to this new release if you do not take specific session-fixation counter measures in your application.
1.2.6 also fixes some regressions […]
Tags: Uncategorized
Rails 2.0 will include a new default session storage, the CookieStore (source source). What it does is store the clear text "marshalled" session object in a cookie which will be stored on the client side. Here is an example of a new cookie value:
BAh7BzoMdXNlcl9pZGkKIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpG%250AbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–be9c1e802c6cf126c722c68002ccbd5684a96dd9
Well, it is actually not clear text, but Base64 encoding. […]
Tags: Rails · Uncategorized
There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.
The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):
http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=
Which will create this SQL:SELECT * […]
Tags: Rails · Uncategorized
In the context of looking for a secure way to send out feeds (RSS, Atom, …), I found several options:
Use basic access authentication to prompt a user name and password before granting access. This is supported by quite a lot feed readers and browsers (where you have to enter your credentials).
Advantage: Easy to use, Rails […]
Tags: Uncategorized
There is another security release which addresses once again the to_json vulnerability. It now has a CVE. If you used to_json in a page you generate:
<script type="text/javascript"> var customers = <%= @customers.to_json %>; </script>
you should upgrade to 1.2.5. Besides it fixes some bugs from 1.2.4.
Bookmark to
Tags: Uncategorized · XSS and Rails
What’s happening here?
It’s about Ruby on Rails, it’s about the technologies around RoR and it’s
about its security. It might turn out to be about the fast growing role of
LARM. (Yes, I invented this term right now, it’s in the style of LAMP, which
stands for the architecure of Linux + Apache + MySQL + PHP. So […]
Tags: Uncategorized
