From a644733791f42edc5d15ac8409639050f5d0a155 Mon Sep 17 00:00:00 2001 From: Eric Kidd Date: Fri, 19 Dec 2008 23:34:23 -0500 Subject: [PATCH] Security: Block tags when sanitizing A whole class of CSRF attacks uses the img tag: This will invoke action_that_allows_get using a GET request and first- party cookies. There are some examples on Wikipedia: http://en.wikipedia.org/wiki/Cross-site_request_forgery Note that really solid enforcement of the "use GET only for queries" rule will also prevent this kind of attack. Also note that if you allow third-party cookies, this patch doesn't help you at all--any other site on the Internet could trigger this attack. --- RAILS-2.2-TODO.txt | 2 +- config/environment.rb | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/RAILS-2.2-TODO.txt b/RAILS-2.2-TODO.txt index 18449abb..e80ac7c7 100644 --- a/RAILS-2.2-TODO.txt +++ b/RAILS-2.2-TODO.txt @@ -35,7 +35,7 @@ X Can we restrict admin cookies to /admin ? No--need /accounts, too. Detect mass assignment failures in unit tests / Review mass assignment in public controllers - comments / Check regexes for ^ and $ - Filter IMG tags +/ Filter IMG tags Block database updates on POST requests Review http://guides.rubyonrails.org/security.html again diff --git a/config/environment.rb b/config/environment.rb index 7d555246..f628f28f 100644 --- a/config/environment.rb +++ b/config/environment.rb @@ -66,8 +66,13 @@ def safe_to_load_application? config.active_record.observers = [:article_observer, :comment_observer] end - # Allow table tags in untrusted HTML. + # Allow table tags in untrusted HTML, but block img tags to prevent + # SRC attributes from being used in CSRF attacks. config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td'] + config.after_initialize do + ActionView::Base.sanitized_allowed_tags.delete 'img' + ActionView::Base.sanitized_allowed_attributes.delete 'src' + end # We're slowly moving the contents of vendor and vender/plugins into # vendor/gems by adding config.gem declarations.