forked from technoweenie/mephisto
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Security: Turn on protect_from_forgery for admin/
The Rails protect_from_forgery function helps protect against cross-site request forgery attacks, as described on Wikipedia: http://en.wikipedia.org/wiki/Cross-site_request_forgery These attacks involve a hostile site sending requests to a site where the user is logged in, exploiting the user's session cookie to do various bad things. The protect_from_forgery function works by requiring all POST (and PUT and UPDATE) requests to have an authenticity_token parameter that corresponds to a value in the user's session. This is automatically included in generated forms by the various form helpers, and checked in the controller. However, we still need to deal with some cases (specifically Ajax.Request) manually. We make several types of changes to get everything working again: - Some POST requests were changed to GET requests, when appropriate. - The token was added manually to other POST requests. This was done using the new init_mephisto_authenticity_token. - Forgery protection was disabled in the test environment. Note that we still need to review the authentication controller closely, and eliminate various XSS attacks against our application before this protection will do much good. I tested this code by manually using the admin/ interface, editing articles, adding users, and working with assets. There's probably still some breakage somewhere that I missed, so let me know if you have problems. I also updated the TODO list for Rails 2.2 and added security-auditing notes.
- Loading branch information
Showing
8 changed files
with
67 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
require File.dirname(__FILE__) + '/../../spec_helper' | ||
|
||
describe Admin::ArticlesController do | ||
controller_name "admin/articles" | ||
integrate_views | ||
|
||
it "should route /admin/articles/attach and friends correctly" do | ||
params = { :controller => "admin/articles", :action => "attach", | ||
:id => '1', :version => "2" } | ||
params_from(:post, "/admin/articles/attach/1/2").should == params | ||
params = { :controller => "admin/articles", :action => "detach", | ||
:id => '1', :version => "2" } | ||
params_from(:post, "/admin/articles/detach/1/2").should == params | ||
end | ||
end |