Ruby on Rails Security Projecthttp://www.rorsecurity.info/journal/en-US2009-01-07T13:12:19ZSquarespace Site Server v5.0.0 (http://www.squarespace.com/)Circumvent Rails CSRF Protectionhttp://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.htmlHeiko2008-11-19T08:46:46ZThere is a security-related bug in Ruby on Rails 2.1.x and all 2.2. pre-releases. The CSRF protection given by
the protect_from_forgery method may possibly be circumvented by a crafted request.

The problem is that Rails by design will not check the authenticity token if the request has certain content types that are typically not generated by browsers. According to the original security message, this list also includes "text/plain" which may be generated by browsers. This form data encoding roundup gives an overview of what can be generated by today's browsers. See this changset for details of which content types will be checked.

Possible Exploit

The content type can be set with the enctype attribute in HTML forms:

This was found in this Lighthouse ticket. The original security message states that Rails does not parse the parameters for these requests. However, I was able to craft requests where all parameters where correctly parsed and used.

Temporary Solution

Users of 2.1.x releases are advised to insert the following code into a file in config/initializers/

Mime::Type.unverifiable_types.delete(:text)

Or you apply this patch for the 2.1.x releases. Users of Edge Rails should upgrade to the latest version.

Fixes

Fixes will be in Rails version 2.1.3 and 2.2.2.

]]>Rails Security Guide and Bookhttp://www.rorsecurity.info/journal/2008/11/4/rails-security-guide-and-book.htmlHeiko2008-11-04T11:10:38ZThat's it, the Ruby on Rails Security guide is ready. It is available as a Rails manual at http://guides.rubyonrails.org/security.html and as a free e-book at http://www.rorsecurity.info/the-book/. The first batch of the new Rails Guides also includes 14 other quality manuals