Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Change the CSRF whitelisting to only apply to get requests

Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
  • Loading branch information...
commit 7e86f9b4d2b7dfa974c10ae7e6d8ef90f3d77f06 1 parent abe9773
@NZKoz NZKoz authored
View
15 actionpack/lib/action_controller/request_forgery_protection.rb
@@ -76,7 +76,11 @@ def protect_from_forgery(options = {})
protected
# The actual before_filter that is used. Modify this to change how you handle unverified requests.
def verify_authenticity_token
- verified_request? || raise(ActionController::InvalidAuthenticityToken)
+ verified_request? || handle_unverified_request
+ end
+
+ def handle_unverified_request
+ reset_session
@dlitz
dlitz added a note

Doesn't this create a denial-of-service vulnerability? A rogue site can force you to log out, now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
end
# Returns true or false if a request is verified. Checks:
@@ -85,11 +89,10 @@ def verify_authenticity_token
# * is it a GET request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given token value from the params?
def verified_request?
- !protect_against_forgery? ||
- request.method == :get ||
- request.xhr? ||
- !verifiable_request_format? ||
- form_authenticity_token == form_authenticity_param
+ !protect_against_forgery? ||
+ request.get? ||
+ form_authenticity_token == form_authenticity_param ||
+ form_authenticity_token == request.headers['X-CSRF-Token']
end
def form_authenticity_param
View
2  actionpack/lib/action_view/helpers.rb
@@ -6,6 +6,7 @@ module Helpers #:nodoc:
autoload :BenchmarkHelper, 'action_view/helpers/benchmark_helper'
autoload :CacheHelper, 'action_view/helpers/cache_helper'
autoload :CaptureHelper, 'action_view/helpers/capture_helper'
+ autoload :CsrfHelper, 'action_view/helpers/csrf_helper'
autoload :DateHelper, 'action_view/helpers/date_helper'
autoload :DebugHelper, 'action_view/helpers/debug_helper'
autoload :FormHelper, 'action_view/helpers/form_helper'
@@ -38,6 +39,7 @@ module ClassMethods
include BenchmarkHelper
include CacheHelper
include CaptureHelper
+ include CsrfHelper
include DateHelper
include DebugHelper
include FormHelper
View
14 actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -0,0 +1,14 @@
+module ActionView
+ # = Action View CSRF Helper
+ module Helpers
+ module CsrfHelper
+ # Returns a meta tag with the cross-site request forgery protection token
+ # for forms to use. Place this in your head.
+ def csrf_meta_tag
+ if protect_against_forgery?
+ %(<meta name="csrf-param" content="#{h(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{h(form_authenticity_token)}"/>).html_safe
+ end
+ end
+ end
+ end
+end
View
216 actionpack/test/controller/request_forgery_protection_test.rb
@@ -23,6 +23,10 @@ def unsafe
render :text => 'pwn'
end
+ def meta
+ render :inline => "<%= csrf_meta_tag %>"
+ end
+
def rescue_action(e) raise e end
end
@@ -32,6 +36,16 @@ class RequestForgeryProtectionController < ActionController::Base
protect_from_forgery :only => :index
end
+class RequestForgeryProtectionControllerUsingOldBehaviour < ActionController::Base
+ include RequestForgeryProtectionActions
+ protect_from_forgery :only => %w(index meta)
+
+ def handle_unverified_request
+ raise(ActionController::InvalidAuthenticityToken)
+ end
+end
+
+
class FreeCookieController < RequestForgeryProtectionController
self.allow_forgery_protection = false
@@ -54,158 +68,92 @@ def form_authenticity_param
# common test methods
module RequestForgeryProtectionTests
- def teardown
- ActionController::Base.request_forgery_protection_token = nil
- end
-
+ def setup
+ @token = "cf50faa3fe97702ca1ae"
- def test_should_render_form_with_token_tag
- get :index
- assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
- end
-
- def test_should_render_button_to_with_token_tag
- get :show_button
- assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
- end
-
- def test_should_render_remote_form_with_only_one_token_parameter
- get :remote_form
- assert_equal 1, @response.body.scan(@token).size
- end
-
- def test_should_allow_get
- get :index
- assert_response :success
- end
-
- def test_should_allow_post_without_token_on_unsafe_action
- post :unsafe
- assert_response :success
- end
-
- def test_should_not_allow_html_post_without_token
- @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
- assert_raise(ActionController::InvalidAuthenticityToken) { post :index, :format => :html }
+ ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
+ ActionController::Base.request_forgery_protection_token = :authenticity_token
end
- def test_should_not_allow_html_put_without_token
- @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
- assert_raise(ActionController::InvalidAuthenticityToken) { put :index, :format => :html }
- end
- def test_should_not_allow_html_delete_without_token
- @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
- assert_raise(ActionController::InvalidAuthenticityToken) { delete :index, :format => :html }
- end
-
- def test_should_allow_api_formatted_post_without_token
- assert_nothing_raised do
- post :index, :format => 'xml'
+ def test_should_render_form_with_token_tag
+ assert_not_blocked do
+ get :index
end
+ assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
end
- def test_should_not_allow_api_formatted_put_without_token
- assert_nothing_raised do
- put :index, :format => 'xml'
+ def test_should_render_button_to_with_token_tag
+ assert_not_blocked do
+ get :show_button
end
+ assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
end
- def test_should_allow_api_formatted_delete_without_token
- assert_nothing_raised do
- delete :index, :format => 'xml'
- end
+ def test_should_allow_get
+ assert_not_blocked { get :index }
end
- def test_should_not_allow_api_formatted_post_sent_as_url_encoded_form_without_token
- assert_raise(ActionController::InvalidAuthenticityToken) do
- @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
- post :index, :format => 'xml'
- end
+ def test_should_allow_post_without_token_on_unsafe_action
+ assert_not_blocked { post :unsafe }
end
- def test_should_not_allow_api_formatted_put_sent_as_url_encoded_form_without_token
- assert_raise(ActionController::InvalidAuthenticityToken) do
- @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
- put :index, :format => 'xml'
- end
+ def test_should_not_allow_post_without_token
+ assert_blocked { post :index }
end
- def test_should_not_allow_api_formatted_delete_sent_as_url_encoded_form_without_token
- assert_raise(ActionController::InvalidAuthenticityToken) do
- @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
- delete :index, :format => 'xml'
- end
+ def test_should_not_allow_post_without_token_irrespective_of_format
+ assert_blocked { post :index, :format=>'xml' }
end
- def test_should_not_allow_api_formatted_post_sent_as_multipart_form_without_token
- assert_raise(ActionController::InvalidAuthenticityToken) do
- @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
- post :index, :format => 'xml'
- end
+ def test_should_not_allow_put_without_token
+ assert_blocked { put :index }
end
- def test_should_not_allow_api_formatted_put_sent_as_multipart_form_without_token
- assert_raise(ActionController::InvalidAuthenticityToken) do
- @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
- put :index, :format => 'xml'
- end
+ def test_should_not_allow_delete_without_token
+ assert_blocked { delete :index }
end
- def test_should_not_allow_api_formatted_delete_sent_as_multipart_form_without_token
- assert_raise(ActionController::InvalidAuthenticityToken) do
- @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
- delete :index, :format => 'xml'
- end
- end
-
- def test_should_allow_xhr_post_without_token
- assert_nothing_raised { xhr :post, :index }
- end
-
- def test_should_allow_xhr_put_without_token
- assert_nothing_raised { xhr :put, :index }
- end
-
- def test_should_allow_xhr_delete_without_token
- assert_nothing_raised { xhr :delete, :index }
+ def test_should_not_allow_xhr_post_without_token
+ assert_blocked { xhr :post, :index }
end
-
- def test_should_allow_xhr_post_with_encoded_form_content_type_without_token
- @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
- assert_nothing_raised { xhr :post, :index }
- end
-
+
def test_should_allow_post_with_token
- post :index, :authenticity_token => @token
- assert_response :success
+ assert_not_blocked { post :index, :authenticity_token => @token }
end
def test_should_allow_put_with_token
- put :index, :authenticity_token => @token
- assert_response :success
+ assert_not_blocked { put :index, :authenticity_token => @token }
end
def test_should_allow_delete_with_token
- delete :index, :authenticity_token => @token
- assert_response :success
+ assert_not_blocked { delete :index, :authenticity_token => @token }
end
- def test_should_allow_post_with_xml
- @request.env['CONTENT_TYPE'] = Mime::XML.to_s
- post :index, :format => 'xml'
- assert_response :success
+ def test_should_allow_post_with_token_in_header
+ @request.env['HTTP_X_CSRF_TOKEN'] = @token
+ assert_not_blocked { post :index }
+ end
+
+ def test_should_allow_delete_with_token_in_header
+ @request.env['HTTP_X_CSRF_TOKEN'] = @token
+ assert_not_blocked { delete :index }
end
- def test_should_allow_put_with_xml
- @request.env['CONTENT_TYPE'] = Mime::XML.to_s
- put :index, :format => 'xml'
+ def test_should_allow_put_with_token_in_header
+ @request.env['HTTP_X_CSRF_TOKEN'] = @token
+ assert_not_blocked { put :index }
+ end
+
+ def assert_blocked
+ session[:something_like_user_id] = 1
+ yield
+ assert_nil session[:something_like_user_id], "session values are still present"
assert_response :success
end
- def test_should_allow_delete_with_xml
- @request.env['CONTENT_TYPE'] = Mime::XML.to_s
- delete :index, :format => 'xml'
+ def assert_not_blocked
+ assert_nothing_raised { yield }
assert_response :success
end
end
@@ -214,15 +162,20 @@ def test_should_allow_delete_with_xml
class RequestForgeryProtectionControllerTest < ActionController::TestCase
include RequestForgeryProtectionTests
- def setup
- @controller = RequestForgeryProtectionController.new
- @request = ActionController::TestRequest.new
- @request.format = :html
- @response = ActionController::TestResponse.new
- @token = "cf50faa3fe97702ca1ae"
- ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
- ActionController::Base.request_forgery_protection_token = :authenticity_token
+ test 'should emit a csrf-token meta tag' do
+ ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?')
+ get :meta
+ assert_equal %(<meta name="csrf-param" content="authenticity_token"/>\n<meta name="csrf-token" content="cf50faa3fe97702ca1ae&lt;=?"/>), @response.body
+ end
+end
+
+class RequestForgeryProtectionControllerUsingOldBehaviourTest < ActionController::TestCase
+ include RequestForgeryProtectionTests
+ def assert_blocked
+ assert_raises(ActionController::InvalidAuthenticityToken) do
+ yield
+ end
end
end
@@ -251,15 +204,30 @@ def test_should_allow_all_methods_without_token
assert_nothing_raised { send(method, :index)}
end
end
+
+ test 'should not emit a csrf-token meta tag' do
+ get :meta
+ assert_blank @response.body
+ end
end
+
+
+
+
class CustomAuthenticityParamControllerTest < ActionController::TestCase
def setup
+ ActionController::Base.request_forgery_protection_token = :custom_token_name
+ super
+ end
+
+ def teardown
ActionController::Base.request_forgery_protection_token = :authenticity_token
+ super
end
def test_should_allow_custom_token
- post :index, :authenticity_token => 'foobar'
+ post :index, :custom_token_name => 'foobar'
assert_response :ok
end
end
Please sign in to comment.
Something went wrong with that request. Please try again.