c05e9ee1c3e6580b0bff72051c294cc955581001 Spyridon Vasileiadis spyridon.vasileiadis@googlemail.com http://github.com/emk/mephisto/commit/0535b5ff99d45c94e6cb5d54d8ddaf24081840bd 0535b5ff99d45c94e6cb5d54d8ddaf24081840bd 2009-03-15T06:56:38-07:00 2009-03-15T06:53:26-07:00 multisite: Fix broken article versions [This is an edited version of the author's blog post at http://inormalized.com/2009/2/19/how-to-fix-broken-article-versions-in-emk-mephisto-edge-post-0-8-1. -Eric] Currently in mephisto edge, article versions are broken. More precisely, the bug comes up ONLY when the installation operates in multisite mode (or even more precisely, when there are at least two articles belonging to two different sites). The problem is how acts_as_versioned is being used. An acts_as_versioned record has among others an “id” column (the default id that ActiveRecord requires) and a “version” column. Currently Mephisto falsely does the following inside \app\controllers\admin\articles_controller.rb on line 38 (edit action)... @version = params[:version] ? @article.versions.find(params[:version]) : @article or raise(ActiveRecord::RecordNotFound) the whole problem is the find(params[:version]) . What happens here is, that we lookup an article’s version by searching for its id instead of for its version column (even though we do use the correct :version parameter.) So this has to change to find_by_version(params[:version]) and thus become.. @version = params[:version] ? @article.versions.find_by_version(params[:version]) : @article or raise(ActiveRecord::RecordNotFound) Notice though that this doesn’t break in a single-site installation, because in this case id and version bot get the same (concurrent) increment. That is because all articles belong the same one and only Site instance. a89976f39245db9125dfb1dc3f21c0430d87953a Eric Kidd git@randomhacks.net 9a7251f4b1e8e7147935b1cad8d6f126196bf051 David Cato git@crunchyfrog.net http://github.com/emk/mephisto/commit/c05e9ee1c3e6580b0bff72051c294cc955581001 c05e9ee1c3e6580b0bff72051c294cc955581001 2009-03-15T06:35:02-07:00 2009-03-06T14:53:16-08:00 Fix tainted string error when updating comment When updating a comment, a tainted string error was being thrown due to the lack of a h() escape on the article title in the comment partial. A deprecation warning from truncate() in the comment partial has also been resolved. A functional test (test_should_update_comment) for the admin comments controller is also included. ca2ae99ace7993d04f809ae7eab6870a6250ca7f Eric Kidd git@randomhacks.net b68e9b2e3a14f33660bf39f3e557a9938c7b0e38 David Cato git@crunchyfrog.net http://github.com/emk/mephisto/commit/9a7251f4b1e8e7147935b1cad8d6f126196bf051 9a7251f4b1e8e7147935b1cad8d6f126196bf051 2009-03-15T06:34:25-07:00 2009-03-02T22:54:14-08:00 Expire cache on theme change from admin/settings Force cache expiration when changing the theme from the Admin::Settings controller as is done when changing the theme from the Admin::Themes controller so that the behavior after a change of theme is consistent, regardless of where the change is made. 06eb36f2d66ab6ec1465f19842fea6518d9ff33e Eric Kidd git@randomhacks.net bb6c3a33fdbab9b4a65e157d54f7f6c52e413ee9 David Cato git@crunchyfrog.net http://github.com/emk/mephisto/commit/29e8c41bd7dcdb514c8eee87278cd36e9f97011b 29e8c41bd7dcdb514c8eee87278cd36e9f97011b 2009-03-15T06:27:55-07:00 2009-02-27T14:30:28-08:00 Pass comment approval status to the template By passing the comment's approval setting to the __thanks_for_comment template, the template can provide additional feedback such as "Your comment is awaiting moderator approval", "Sorry, we threw your comment away", or similar if the comment was not automatically approved. For example, __thanks_for_comment.liquid could look like the following: Thanks for the comment. {% unless approved %}It is awaiting moderation.{% endunless %} 18b0922930a31c8ab961e7435c5e6e5a3fb42fdf Eric Kidd git@randomhacks.net dd86ad9c22a3e6cc5eb97591997472d6b348b443 David Cato git@crunchyfrog.net http://github.com/emk/mephisto/commit/bb6c3a33fdbab9b4a65e157d54f7f6c52e413ee9 bb6c3a33fdbab9b4a65e157d54f7f6c52e413ee9 2009-03-15T06:25:59-07:00 2009-02-26T18:03:11-08:00 Force consistent ordering of dates containing NULLs Because database servers differ on how they sort NULL values, the sort order for articles was changed, via COALESCE, so that a NULL date will be treated as being less than (i.e., older than) any non-NULL date. This fixes test_should_search_article_by_section so that it passes with MySQL, SQLite, and PostgreSQL. [I'm merging this patch because I'm quite fond of PostgreSQL, and because it has been tested with most of the other databases we support. If this breaks your database, please let me know. -Eric] bdb33940bce48271283629d3945ff464fc7660cc Eric Kidd git@randomhacks.net 73c5e891d5a0fada73d6c4161f12821608900d82 Mathieu Martin webmat@gmail.com http://github.com/emk/mephisto/commit/8d73a2a5ff64954ffb230dd7561a17e6fc1781af 8d73a2a5ff64954ffb230dd7561a17e6fc1781af 2009-03-15T06:17:33-07:00 2009-03-11T20:54:52-07:00 Fix the parameter logging filtering... Call filter_parameter_logging only once with all sensitive field names, rather than once per field to protect. 2de226078c3dc9194d5bf8234dca1b886619c042 Eric Kidd git@randomhacks.net 5c568b5587cd3df6021e80e021485db75d3b9e44 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/1473acf8307ec21d2002acab94691841d8003580 1473acf8307ec21d2002acab94691841d8003580 2009-02-01T18:14:10-08:00 2009-02-01T18:14:10-08:00 Fix display of theme homepage links Many thanks to Gustavo Sales (aka vatsu) for pointing out this bug and proposing a fix: http://github.com/vatsu/mephisto/commit/e7b0ecaaca4457dd7d542ac218baf979e1b7a190 http://github.com/vatsu/mephisto/commit/fbe32e923ad6dfb963a8311053214b3395aeb37b In order to minimize code duplication in the *.erb files, I've rewritten this code as a helper method. 33323a79d12d193b35a3b1ea4cc1dc8bfbc9d40f Eric Kidd git@randomhacks.net 985782461c010f13e0d3af6f152d0b1280cd1faf 9b7cbbb116d8d353f3132d5a59f79b67e9dab698 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/7ee79816ffc0f2433df412e87024061e794736e3 7ee79816ffc0f2433df412e87024061e794736e3 2009-02-01T16:45:55-08:00 2009-02-01T16:45:55-08:00 Merge branch 'master' of git://github.com/technoweenie/mephisto 9d0dbbbb12894eafbcaf25895480de8ee32958a6 Eric Kidd git@randomhacks.net e229865d6e63a6b6c0e6cb7aac21992ca303f94a Sean O'Brien sean.obrien56@yahoo.com http://github.com/emk/mephisto/commit/9b7cbbb116d8d353f3132d5a59f79b67e9dab698 9b7cbbb116d8d353f3132d5a59f79b67e9dab698 2009-01-29T23:41:07-08:00 2009-01-29T23:41:07-08:00 missing tainted string in cache listing 5fc6c3dbb07419ab0ef0975eebe230224745db5b Sean O'Brien sean.obrien56@yahoo.com e6ef40f48b4d37f18381e8a0ed2dd5a551a7d82b James McCarthy james2mccarthy@gmail.com http://github.com/emk/mephisto/commit/b2ead2f1617fcd3f5141f8c7b2082d57c47c8f85 b2ead2f1617fcd3f5141f8c7b2082d57c47c8f85 2009-01-13T05:07:27-08:00 2009-01-11T18:36:47-08:00 escaped link in _page.html.erb Signed-off-by: James McCarthy <james2mccarthy@gmail.com> f8437b7daf1349cf75fb3a352e1f6f6090699155 Eric Kidd git@randomhacks.net 3700f8d9e7aeefaf5d175d2ea4e412c2927ec229 Chris Cummer chris@postal-code.com http://github.com/emk/mephisto/commit/e6ef40f48b4d37f18381e8a0ed2dd5a551a7d82b e6ef40f48b4d37f18381e8a0ed2dd5a551a7d82b 2009-01-09T04:28:52-08:00 2009-01-04T12:36:51-08:00 Changed user login to send user to admin section on succesful login instead of the blog homepage since users have the ability to post to the blog f48310c10b955f3eacf2eea4017212f38fd66984 Eric Kidd git@randomhacks.net ec67cdcf11399edd442749b9799c4dbe2059c39a Chris Cummer chris@postal-code.com http://github.com/emk/mephisto/commit/a3c0a7d80f75c5560a3fffa2c2f96831399ffd3c a3c0a7d80f75c5560a3fffa2c2f96831399ffd3c 2008-12-31T05:57:43-08:00 2008-12-30T13:20:00-08:00 Fixes 'attempted to output tainted string' error when rendering email address for mailto b56cc71c6397c67df9f05e1af6d0f0af4a36f3cd Eric Kidd git@randomhacks.net 1ea714e42637e08faa76d7c988cf85125207c23f Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/5f488ccb504cd103258f7a8af7ad87c219254b6c 5f488ccb504cd103258f7a8af7ad87c219254b6c 2008-12-26T08:26:27-08:00 2008-12-26T08:26:27-08:00 JavaScript: Rename admin/assets/*.js -> *.js.rjs d0cf09ffb2ff0014888219770df4ba4ed2ebc375 Eric Kidd git@randomhacks.net be52beb86d2228cc2f5b0b95a5669e4ce58904f4 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/975d51bcf58d92922fd18cef9d2837fd6bc72907 975d51bcf58d92922fd18cef9d2837fd6bc72907 2008-12-23T21:06:59-08:00 2008-12-23T21:06:59-08:00 Modernize rjs: admin/articles I'm going to try to rename all the *.rjs files to *.js.rjs. This is trickier than the other renamings, because our unit test coverage isn't perfect, and I'm trying to test everything by hand when possible. So I'm going to do this one directory at a time. Other changes: - The live_preview and _preview stuff wasn't being used. - We didn't have a test case for the 'label' action. 14448796ede7ff813e4e7f758139087822190ff9 Eric Kidd git@randomhacks.net 19d3422c313410e7f64ba51a991a1ea1491cc663 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/be52beb86d2228cc2f5b0b95a5669e4ce58904f4 be52beb86d2228cc2f5b0b95a5669e4ce58904f4 2008-12-23T18:06:15-08:00 2008-12-23T18:06:15-08:00 Rename *.rxml files to *.xml.builder This also requires adding respond_to blocks to some of our actions. 92c1271652cedf439437f7bd3edc39189e4aa419 Eric Kidd git@randomhacks.net b24d0b198cde9fbcbe87f802b12ee61743a6d380 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/19d3422c313410e7f64ba51a991a1ea1491cc663 19d3422c313410e7f64ba51a991a1ea1491cc663 2008-12-23T17:49:20-08:00 2008-12-23T17:49:20-08:00 Rename *.rhtml files to *.html.erb Let's go for the new-school approach here. 7d7a2f9566d2d09b448fc2398610017d9a87e2b4 Eric Kidd git@randomhacks.net 6677a2c0f490a7cdaa1671482db3f714d45cf8d3 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/8f3656b21398306fed78ccd13097eca8ebb55238 8f3656b21398306fed78ccd13097eca8ebb55238 2008-12-22T05:57:08-08:00 2008-12-22T05:28:15-08:00 Fix theme controller bugs J.C. Zhu reported an InvalidAuthenticityToken error when trying to change themes. This was one of several bugs in the theme switching code left over from the Rails 2.2 porting process and the security audit. We needed to convince Ajax.Request to use a GET request when displaying the theme tools, and we needed to properly escape some text in the _tools template. I've also added a test case to make sure we actually render the _tools view successfully. 638431d73fd1a8a299cca19e90f23d133d958930 Eric Kidd git@randomhacks.net 4aae70e165bd63602fb51ef44d516f9f67c3737a rick technoweenie@gmail.com http://github.com/emk/mephisto/commit/e229865d6e63a6b6c0e6cb7aac21992ca303f94a e229865d6e63a6b6c0e6cb7aac21992ca303f94a 2008-12-20T10:48:38-08:00 2008-12-20T10:48:38-08:00 catch tainted string in overview 7a580309ed604bf6eb679546848711d3a6202804 rick technoweenie@gmail.com 9c612f8c90ca2921086c123d5e574005d00a16b0 rick technoweenie@gmail.com http://github.com/emk/mephisto/commit/8681b6419d3bbe53929dea28ede3d32553944832 8681b6419d3bbe53929dea28ede3d32553944832 2008-12-20T10:45:38-08:00 2008-12-20T10:45:38-08:00 extract event mode logic to Event.mode_from 826d503b1227bb79877842b1811603ae5dc9ff7d rick technoweenie@gmail.com 64eff7f46ab8191d1dd766f7746f3a52d31fd7b3 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/38348fb9236859143d79acba02388af617731204 38348fb9236859143d79acba02388af617731204 2008-12-20T07:45:14-08:00 2008-12-20T07:45:14-08:00 Don't log "remember me" token This token can be trivially recovered from the database, so excluding it from the logs doesn't actually accomplish anything. But there's no reason to include it in the logs, either. e68e88c291aa443bb67f1469e003600c25d5abdf Eric Kidd git@randomhacks.net c500bf8e05c250d02672c30d079a0bdeb66f0569 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/64eff7f46ab8191d1dd766f7746f3a52d31fd7b3 64eff7f46ab8191d1dd766f7746f3a52d31fd7b3 2008-12-20T07:43:45-08:00 2008-12-20T07:43:45-08:00 Security: Attempt to block auth of nil tokens, etc. Some Rails authentication systems have suffered from a vulnerability involving nil or blank login tokens: http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ This patch includes a bunch of test cases testing for possible attacks along these lines, and some sanity-checking code in our authentication methods. Note that the tests and the code don't really "line up" here--most of the test methods passed already, and most of the sanity-checking code is probably unnecessary. But again, better safe than sorry. 3b4e0fdd75748350aff26d604f7f5a7d6a61e552 Eric Kidd git@randomhacks.net ff0113a3c8ed63746af2a6c8398f29969330b439 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/c500bf8e05c250d02672c30d079a0bdeb66f0569 c500bf8e05c250d02672c30d079a0bdeb66f0569 2008-12-20T06:10:37-08:00 2008-12-20T06:10:37-08:00 Security: Force all GET requests to be read-only The W3C makes a clear distinction between GET and POST requests. GET requests should only cause "safe" actions, and the user should never be held accountable for making GET requests. See the following for an overview: http://www.w3.org/2001/tag/doc/whenToUseGet.html The Rails 'protect_against_forgery' function (and possibly some web browsers) rely on the distinction between GET and POST to provide protection against CSRF attacks. See: http://en.wikipedia.org/wiki/Cross-site_request_forgery http://guides.rubyonrails.org/security.html#_csrf_countermeasures Unfortunately, enforcing these rules in rather difficult, especially in a large application with lots of controllers and plugins. So this patch applies a rather heavy-handed fix: We globally block database writes during GET requests, and specifically override that policy in one or two places. All of our current overrides invoke User#reset_token!. I haven't performed a full security analysis of allowing User#reset_token! (or updates to session[:user] based on our "remember me" token) in a GET request. For now, I'm going to go ahead and allow this activity--if we actually have some sort of vulnerability here, it affects a wide range of web applications. Note that this patch may break some part of the /admin interface. I've tried posting articles and other basic stuff, but I haven't used the lesser-known corners of /admin since making these changes. Please report any problems. 58b206f97ec48143ffae2256ba548a18b1e21765 Eric Kidd git@randomhacks.net a644733791f42edc5d15ac8409639050f5d0a155 b7cb8221e066cb55884bf941e1b421ccf6082404 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/284f1acd28abab4005f6388d095e9cd1cc2f52a0 284f1acd28abab4005f6388d095e9cd1cc2f52a0 2008-12-19T20:47:10-08:00 2008-12-19T20:47:10-08:00 Merge branch 'experimental' Conflicts: app/drops/comment_drop.rb 653b1d47ba2601a3523006e48c7110310d48f4df Eric Kidd git@randomhacks.net 173c3b82e7dae0f7d616c5522104e48f76ef94ad Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/c8c4bcc772301abcee6735466df93b60291878aa c8c4bcc772301abcee6735466df93b60291878aa 2008-12-19T19:25:22-08:00 2008-12-19T19:25:22-08:00 Security: Fix many broken filter regexps In Ruby, "foo\nbar" =~ /^bar/ will result in a match, because ^ matches at the start of any line, not at the start of the string. In general, we want to use \A and \z in place of ^ and $, respectively. We rely heavily on regular expressions to filter untrusted data. And many of these regular expressions can be fooled easily because they rely on ^ and $ when they shouldn't. See comment_drop_test for a user-exploitable example. This patch does a bulk search-and-replace of the offending patterns. It may easily have missed something somewhere, but it's a good start. 7c76b84b39cf0d8fbaa0ec49c7c13251deb1f1d6 Eric Kidd git@randomhacks.net bf1a5deb79007d56901984d70eb3ad0f8122ef7a Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/06917544a35c178a5ab2c9ec61773693e4886d36 06917544a35c178a5ab2c9ec61773693e4886d36 2008-12-19T14:53:05-08:00 2008-12-19T14:53:05-08:00 Only accept known comment fields The comment form is most-exposed attack point in all of Mephisto, because it doesn't require an authenticity_token and can be used by anybody on the internet. In the interests of paranoia, this patch removes bulk assignment from the comment-posting code. I don't see any way to exploit the previous code (several attr_accessible fields looked vulnerable, but don't actually exist any more). But better safe than sorry. 69c93bc46f89eb83bf1bce71c0615c77bfc357df Eric Kidd git@randomhacks.net bf1a5deb79007d56901984d70eb3ad0f8122ef7a Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/b7cb8221e066cb55884bf941e1b421ccf6082404 b7cb8221e066cb55884bf941e1b421ccf6082404 2008-12-19T06:26:23-08:00 2008-12-19T06:26:23-08:00 Security: Fix XSS attack against new comment form WARNING: If you're one of the first people testing this commit, please use a backup database. How to reproduce: Create a new comment, and set all fields to <script>alert("Pwned")</script>. Submit it. You will see a JavaScript alert dialog, which is bad. What's happening: Untrusted fields in Comment objects are sanitized immediately before they're written to the database for the first time. But if validation fails, it leaves the application with an unsanitized comment object. When the "can't submit comment" error is displayed, this unsanitized comment object can be passed straight throught to Liquid, which assumes that all HTML tags have been escaped. (This may look like "self XSS" attack only, but hostile pages can trigger it by tricking you into submitting a comment form back to your own site, preloaded with malicious data.) How we fix it: We make HTML escaping the responsibility of CommentDrop, not the Comment model. This means that we need to unescape several existing fields in the database. Possible issues: This means that we're storing dangerous, untrusted data in our database, and that we need to rely on the proper use of 'h' and 'CGI.escapeHTML'. In the case of 'h', we're already using SafeERB, so insecure admin templates will be caught automatically, and dangerous data should never be sent to the user. In the case of Liquid, we need to carefully examine our CommentDrop class to make sure that we're not passing any unescaped data through to the Liquid templates. But this is a pretty manageable "proof obligation"--and remember that the old "sanitize on create" code actually suffered from XSS attacks, because it was too easy to do the sanitization in the wrong place. 0703ba7b1fb18d1eae97eb5c7a0537cffa8fb2eb Eric Kidd git@randomhacks.net 098bb13f543c47e652442e65c1402eb563ba99b8 isaac isaackearse@gmail.com http://github.com/emk/mephisto/commit/87b221f3914e412f4d376591240ea62a88b58785 87b221f3914e412f4d376591240ea62a88b58785 2008-12-16T20:56:35-08:00 2008-12-16T20:56:35-08:00 Change location of the default theme from themes/default => app/themes/default, and ignore the themes folder Now you can just symlink the themes folder when deploying and not overwrite any changes. b531ef6852c29ad31c0dedbce7893c538fad0fb1 isaac isaackearse@gmail.com 1189e41398778b7665a49338f6f063c4040b3472 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/e7af58c5fe9b993de16478b102e2e1af320a8402 e7af58c5fe9b993de16478b102e2e1af320a8402 2008-12-15T06:05:21-08:00 2008-12-15T06:05:21-08:00 Rename forgot_password template to have correct MIME type This is part of some soon-to-be-committed work with safe_erb, but it stands alone just fine. fa0a571db05f28048598e2f830c88d47a970db8b Eric Kidd git@randomhacks.net 01e4d91b3f6faca894186a492a2b735396f0e598 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/1189e41398778b7665a49338f6f063c4040b3472 1189e41398778b7665a49338f6f063c4040b3472 2008-12-14T06:34:43-08:00 2008-12-14T06:33:58-08:00 Fix timezone bug caused by port to Rails 2.2 This bug was introduced in 3414a37d9432f2a64ae3dda4238c6f546555c9ed, and was reported by "barontick" on #mephisto. Changes introduced while cleaning up unit test failures on the way to Rails 2.2 prevented users from setting the site's timezone. Some notes on this patch. 1) We want to keep using 'tzinfo', and not Rail's built-in time zone classes, because the former supports daylight savings time. 2) It's easier to just add a virtual timezone_name accessor instead of trying to do conversions in Site#timezone=. 3) We can re-enable some old specs for Site, because there's no longer any danger of deleting site themes. I really wish we had a better way of testing that HTML forms could be submitted back to the database successfully, closing the loop between two different sets of test cases on output and input. b0c83e8282a973db66ceca68a330d145082e1e41 Eric Kidd git@randomhacks.net cd59873a681781388f5783b3b57b96c45fe5b43f isaac isaackearse@gmail.com http://github.com/emk/mephisto/commit/d6b5007b25fb3487e6b508eae3927d4a56a16e38 d6b5007b25fb3487e6b508eae3927d4a56a16e38 2008-12-12T15:21:18-08:00 2008-12-12T15:21:18-08:00 fix warnings about adding parentheses for future versions of ruby aa453c3d61ffc067785418a8b9c0a84687fbd3c4 isaac isaackearse@gmail.com 31430c44ac1d26cd3b4dbb26a7374dd6164e2b47 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/d2c8c8e3aee4c222c645f0b7b493799ffd826bc3 d2c8c8e3aee4c222c645f0b7b493799ffd826bc3 2008-12-12T05:24:57-08:00 2008-12-12T05:24:57-08:00 Security: Replace white_list with Rails 2.2 sanitizer The Rails 2.2 santizer is an enhanced version of Rick's original white_list plugin, so let's upgrade and get the latest fixes. Note that Mephisto had separate rules for sanitizing comments and non-comments in Atom feeds. This difference was introduced in commit 88df87e3a1cb8474fa479d855035ab4d2ca2351e. Unfortunately, I'm not able to track down any information on the problem being fixed here. Since we already add half of the tags in question to the whitelist, I've decided to just treat all sanitized Atom feed content the same. Please let me know if this breaks anything. d442e5291b0aec71e6ecde67222ee49e59c38df1 Eric Kidd git@randomhacks.net 7a20455fab59441d15e261172aa9fac109eb3893 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/31430c44ac1d26cd3b4dbb26a7374dd6164e2b47 31430c44ac1d26cd3b4dbb26a7374dd6164e2b47 2008-12-12T04:40:42-08:00 2008-12-12T04:40:42-08:00 Security: More h(...) tags These are based on manual inspection. 20de9e4507d3b7dc76697df85d9e877837527dbb Eric Kidd git@randomhacks.net a83309dbc833ce1ef255ac65275ba498115d1040 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/7a20455fab59441d15e261172aa9fac109eb3893 7a20455fab59441d15e261172aa9fac109eb3893 2008-12-11T16:05:37-08:00 2008-12-11T16:05:37-08:00 Security: Escape more strings The sqlite3_ruby database adapter does not correctly taint strings unless you first apply this patch: http://rubyforge.org/tracker/index.php?func=detail&aid=20325&group_id=254&atid=1045 With this patch applied, SafeERB finds more errors. These are now fixed. It would be highly desirable to update SafeERB and modify it for production use with Rails 2.2. eb43abe7ea4ced62e2f3cdc99532039644227102 Eric Kidd git@randomhacks.net f9d3c105eb0c22b7a66430619be41b697c98200f Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/a83309dbc833ce1ef255ac65275ba498115d1040 a83309dbc833ce1ef255ac65275ba498115d1040 2008-12-11T15:31:50-08:00 2008-12-11T15:29:51-08:00 Security: Escape strings where recommended by SafeERB The SafeERB plugin attempts to automatically detect view code which fails to properly escape HTML. You can find information here: http://wiki.rubyonrails.com/rails/pages/Safe+ERB I'm using a version of SafeERB modified by Matthew Bass, which can be found on github: http://github.com/pelargir/safe_erb/tree/master My local copy is modified to avoid some false positives, and isn't ready for production use yet. But here's the first batch of changes it recommended. Note that some of these changes weren't really necessary-- some of the values we're wrapping can't actually contain HTML metacharacters, at least not in normal locales. Also note that SafeERB is only useful for the normal view code in places like /admin, and that it won't help us with Liquid plugins in the front end. But it's a start. bf75a57264c39abb41b433917bea009351be6b48 Eric Kidd git@randomhacks.net 5186bb4204e0b3397109c4b40ce7643753badfcd Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/f9d3c105eb0c22b7a66430619be41b697c98200f f9d3c105eb0c22b7a66430619be41b697c98200f 2008-12-11T05:33:43-08:00 2008-12-11T05:31:25-08:00 Security: Make 'token' cookie HTTP-only This prevents malicious JavaScript code injected by a XSS attack from reading your "Remember me" token, and getting long-term access to your account. Note that not all browsers honor :http_only, and of those that do, some allow it to be bypassed using XmlHttpRequest. 043277cf8ca6916df97dd005b77ec05a0cd2fbbc Eric Kidd git@randomhacks.net