The problem is that Rails by design will not check the authenticity token if the request has certain content types that are typically not generated by browsers. According to the original security message, this list also includes "text/plain" which may be generated by browsers. This form data encoding roundup gives an overview of what can be generated by today's browsers. See this changset for details of which content types will be checked.
The content type can be set with the enctype attribute in HTML forms:
<form method="post" enctype="text/plain" action="<%= some_post_action_path(@var) %>"><%= submit_tag "Start" %></form>
This was found in this Lighthouse ticket. The original security message states that Rails does not parse the parameters for these requests. However, I was able to craft requests where all parameters where correctly parsed and used.
Users of 2.1.x releases are advised to insert the following code into a file in config/initializers/
Mime::Type.unverifiable_types.delete(:text)
Or you apply this patch for the 2.1.x releases. Users of Edge Rails should upgrade to the latest version.
Fixes will be in Rails version 2.1.3 and 2.2.2.
]]>So far, the online version of the guide is one long page, I hope it will be seperated soon. Meanwhile you can read the e-book version of it. For those of you looking for a quick overview of good practice and countermeasures, scan the document for the fragments that are highlighted.
I will be officially announcing the Guide at the OWASP EU Summit in Portugal this week.
]]>