Issues - technoweenie/restful-authentication

technoweenie / restful-authentication

229

2160

Description:

Generates common user authentication code for Rails/Merb, with a full test/unit and rspec suite and optional Acts as State Machine support built-in.

Sort by: Priority | Votes | Last Updated

Loading…

1.

0 votes

note_failed_signin unescaped string
4 comments Created 6 months ago by mikeycgto

Title

Body
Line 40 of the note_failed_signin in generators / authenticated / templates / controller.rb flash[:error] = "Couldn't log you in as '#{params[:login]}'" Is unescaped and could lead to a potential XSS attack where an attacker could steal the users credentials. It should be: flash[:error] = "Couldn't log you in as '#{CGI.escapeHTML(params[:login])}'"
or cancel

Line 40 of the note_failed_signin in generators / authenticated / templates / controller.rb

flash[:error] = "Couldn't log you in as '#{params[:login]}'"

Is unescaped and could lead to a potential XSS attack where an attacker could steal the users credentials. It should be:

flash[:error] = "Couldn't log you in as '#{CGI.escapeHTML(params[:login])}'"

Comments

saizai Sun May 10 19:49:09 -0700 2009 | link

Yes-but:
a) you should be escaping your flashes at the view level anyway (rather than trusting to do it on every insertion)
b) h() is easier :-p
c) is there a situation where someone could insert to another user's flash, given that this gets added to the current session? They'd just attack themselves.

Comment
Yes-but: a) you should be escaping your flashes at the view level anyway (rather than trusting to do it on every insertion) b) h() is easier :-p c) is there a situation where someone could insert to another user's flash, given that this gets added to the current session? They'd just attack themselves.
or cancel

mikeycgto Mon May 11 07:05:30 -0700 2009 | link

Yeah true, using h() would be easier. I often have my application template display flash error and warn and escaping them wouldn't be an issue. Some users may not want to escape every flash notice\warn however.

The way I envisioned an attack using this vulnerability was that an attacker would create a special link on some rouge page. This link would POST to the login page of the vulnerable application. The login parameter would be some JavaScript, which would in turn, alter the forms actions to point to the attacker's page. The attacker now can collect credentials and further more devise an attack that does not disrupt service or alert the user in anyway.

Comment
Yeah true, using h() would be easier. I often have my application template display flash error and warn and escaping them wouldn't be an issue. Some users may not want to escape every flash notice\warn however. The way I envisioned an attack using this vulnerability was that an attacker would create a special link on some rouge page. This link would POST to the login page of the vulnerable application. The login parameter would be some JavaScript, which would in turn, alter the forms actions to point to the attacker's page. The attacker now can collect credentials and further more devise an attack that does not disrupt service or alert the user in anyway.
or cancel

saizai Mon May 11 07:12:13 -0700 2009 | link

Hm, interesting attack scenario. Seems unlikely IMO, but also, everything should be prevented.

I think this is more an argument for (a) - you should treat the flash as tainted in your view, and escape or whitelist it appropriately.

However, it certainly doesn't hurt to escape it as you suggest. ;-)

Comment
Hm, interesting attack scenario. Seems unlikely IMO, but also, everything should be prevented. I think this is more an argument for (a) - you should treat the flash as tainted in your view, and escape or whitelist it appropriately. However, it certainly doesn't hurt to escape it as you suggest. ;-)
or cancel

mikeycgto Mon May 11 07:15:15 -0700 2009 | link

I just come from the school of thought that it should be default, out of the box secure, with no extra user intervention or anything.

It is an easier enough fix as well, one extra method call the problem is no longer present.

Comment
I just come from the school of thought that it should be default, out of the box secure, with no extra user intervention or anything. It is an easier enough fix as well, one extra method call the problem is no longer present.
or cancel

Parsed with GitHub Flavored Markdown
2.

2 votes

database session store
1 comment Created 6 months ago by egavgabgi

Title

Body
Hi, I am pretty new to Rails although I have been learning it for the past 2 months. I am having trouble using the mysql database active record session store with this plug-in. I keep getting the following error when I try to log-in: ActionController::InvalidAuthenticityToken in SessionsController#create . And each time I go to the login page or any other page for that matter, it creates a new session entry in the sessions table. How can i get the database session store to work properly? I am using rails 2.3.2. Any help would be useful!
or cancel

Hi, I am pretty new to Rails although I have been learning it for the past 2 months. I am having trouble using the mysql database active record session store with this plug-in. I keep getting the following error when I try to log-in: ActionController::InvalidAuthenticityToken in SessionsController#create . And each time I go to the login page or any other page for that matter, it creates a new session entry in the sessions table. How can i get the database session store to work properly? I am using rails 2.3.2.

Any help would be useful!

Comments

Sylvain Wed Jul 08 06:28:44 -0700 2009 | link

Hi, I have exactly the same problem with rails 2.3.2. I can't find any solution on the web for that point.

Comment
Hi, I have exactly the same problem with rails 2.3.2. I can't find any solution on the web for that point.
or cancel

Parsed with GitHub Flavored Markdown
3.

0 votes

missed issue in documentation
0 comments Created 3 months ago by alec-c4

Title

Body
Hi, you have missed issue in installation instructions, that users should add line "include AuthenticatedSystem" to the application controller. Could you correct it plz?
or cancel

Hi,
you have missed issue in installation instructions, that users should add line "include AuthenticatedSystem" to the application controller. Could you correct it plz?

Comments

Parsed with GitHub Flavored Markdown
4.

0 votes

Master branch broken create user method
0 comments Created 3 months ago by remear

Title

Body
NoMethodError in UsersController#create undefined method `name' for #<User:0x23b5400> This is caused by validations in user.rb for :name since the name field is not part of the initial migration. validates_format_of :name, :with => Authentication.name_regex, :message => Authentication.bad_name_message, :allow_nil => true validates_length_of :name, :maximum => 100 Removing these lines fixes the issue.
or cancel

NoMethodError in UsersController#create

undefined method `name' for #<User:0x23b5400>

This is caused by validations in user.rb for :name since the name field is not part of the initial migration.

validates_format_of :name, :with => Authentication.name_regex, :message => Authentication.bad_name_message, :allow_nil => true
validates_length_of :name, :maximum => 100

Removing these lines fixes the issue.

Comments

Parsed with GitHub Flavored Markdown
5.

0 votes

remember_me will never work?
0 comments Created 16 days ago by jfqd

Title

Body
Am I wrong or will remember_me never work? In my opinion two lines are missing in 'by_cookie_token.rb' file (see patch): Index: restful_authentication/lib/authentication/by_cookie_token.rb =================================================================== --- restful_authentication/lib/authentication/by_cookie_token.rb +++ restful_authentication/lib/authentication/by_cookie_token.rb @@ -42,8 +42,10 @@ # refresh token (keeping same expires_at) if it exists def refresh_token if remember_token? - self.remember_token = self.class.make_token - save(false) + self.remember_token = self.class.make_token + save(false) + else + remember_me end end
or cancel
Am I wrong or will remember_me never work? In my opinion two lines are missing in 'by_cookie_token.rb' file (see patch):

Index: restful_authentication/lib/authentication/by_cookie_token.rb

--- restful_authentication/lib/authentication/by_cookie_token.rb +++ restful_authentication/lib/authentication/by_cookie_token.rb @@ -42,8 +42,10 @@
```
   # refresh token (keeping same expires_at) if it exists
   def refresh_token
     if remember_token?
```
- ```
   self.remember_token = self.class.make_token 
```
- ```
   save(false)      
```
- ```
   self.remember_token = self.class.make_token
```
- ```
   save(false)
```
- ```
 else
```
- ```
   remember_me
 end
```
  end
Comments

Parsed with GitHub Flavored Markdown
6.

1 vote

Move to Gemcutter?
0 comments Created 1 day ago by harking

Title

Body
Do you plan on moving restful-authentication to gemcutter?
or cancel

Do you plan on moving restful-authentication to gemcutter?

Comments

Parsed with GitHub Flavored Markdown