Circumvent Rails CSRF Protection
Wednesday, November 19, 2008 at 9:46AM There is a security-related bug in Ruby on Rails 2.1.x and all 2.2. pre-releases. The CSRF protection given by
the protect_from_forgery method may possibly be circumvented by a crafted request.
The problem is that Rails by design will not check the authenticity token if the request has certain content types that are typically not generated by browsers. According to the original security message, this list also includes "text/plain" which may be generated by browsers. This form data encoding roundup gives an overview of what can be generated by today's browsers. See this changset for details of which content types will be checked.
Possible Exploit
The content type can be set with the enctype attribute in HTML forms:
<form method="post" enctype="text/plain" action="<%= some_post_action_path(@var) %>"><%= submit_tag "Start" %></form>
This was found in this Lighthouse ticket. The original security message states that Rails does not parse the parameters for these requests. However, I was able to craft requests where all parameters where correctly parsed and used.
Temporary Solution
Users of 2.1.x releases are advised to insert the following code into a file in config/initializers/
Mime::Type.unverifiable_types.delete(:text)
Or you apply this patch for the 2.1.x releases. Users of Edge Rails should upgrade to the latest version.
Fixes
Fixes will be in Rails version 2.1.3 and 2.2.2.
View Printer Friendly Version
Email Article to Friend
Reader Comments (5)
This is the Firefox LOC in question:
http://mxr.mozilla.org/mozilla-central/source/content/html/content/src/nsFormSubmission.cpp#1166
And this is in webkit:
http://trac.webkit.org/browser/releases/Apple/Safari%203.2/WebCore/html/HTMLFormElement.cpp#L354
thanks for such a nice post but easy option would be using the patch..
jaquet droz watches replicasI love the watch, it is heavy, solid, modern, sporty yet very elegant and extremely good looking. The well known precision of a Seiko combined with the looks makes it a wonderful item to have. In the past I used to have my husband take off any additional links of the bracelets when purchasing a watch (they are always 2 links too big), but he could not do it with this one. I took it to a jeweler and I had to pay almost $40 to fix it, very expensive. I suggest you buy the tool (available) that is about $10 and do it yourself.
bug is the real error of code. or it is just another point of view for code interpretation? in this idea any clear code can be a bug
wholesale nike shoesShop a great selection of authentic Nike shoes&Nike Air Max with reasonable price for the entire families at nike-shoes-max.com.nike shoes 100% quality guaranteed and smooth customer service.UGG Women's Classic Cardy Boots 5819 are available with colorful knit uppers (composed of a wool blend) and a sheepskin sock liner for extra comfort.ugg boots It is detailed with three oversized wood buttons, allowing it to be styled buttoned up, australia uggslouched down, slightly unbuttoned, or completely cuffed down. They have a light and flexible EVA outsole along with a suede heel guard provides durable wear all season long. That is why it is one of several styles that have been all time favorites with women.