New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't allow arbitrary data in link_to :back #14444

Closed
cbetta opened this Issue Mar 21, 2014 · 3 comments

Comments

Projects
None yet
4 participants
@cbetta

cbetta commented Mar 21, 2014

I realised that link_to "back", :back will set the href to anything passed as the referer regardless of wether it's a URI or not. For example if javascript:alert("!") is passed in it will just plainly pass that as the href and execute it.

Obviously this bug is low priority as the referer header can not be spoofed easily as such, but at the moment we're one browser-bug away from having a massive XSS exploit on every rails site that uses :back.

@rafaelfranca

This comment has been minimized.

Member

rafaelfranca commented Mar 21, 2014

cc @NZKoz

@NZKoz

This comment has been minimized.

Member

NZKoz commented Mar 22, 2014

if you can overwrite HTTP headers you can also perform session fixation attacks, and a variety of other security issues. So while I'm not necessarily opposed to restricting the referrer to http/s urls, it's a long way down my list of things to worry about :)

@chancancode

This comment has been minimized.

Member

chancancode commented Mar 23, 2014

Since this is more like a feature request, let's close this for now. Feel free to bring this up on the rails-core mailing list and/or send a pull request for this :) We also have a related GSoC project, so perhaps a student could work on that in the summer.

Thanks for brining this up though!

pixeltrix added a commit to alphagov/e-petitions that referenced this issue Jul 1, 2015

Sanitize referer url before using it
Rails by default doesn't validate the HTTP_REFERER header used when doing
a `link_to :back`. This was deemed to be a low priority in rails/rails#14444
as the ability to inject headers via a proxy would allow all sorts of other
attacks like session fixation. Coupled with SSL it makes any exploit unlikely.

However we know in our application our usage is limited to internal back
links, so we can parse them through `URI.parse` and ensure they are valid.

Fixes GDNT-025-3-1

ExMember added a commit to usertesting/rails that referenced this issue Nov 4, 2015

Don’t allow arbitrary data in back urls
`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`

This commit restricts the back URL to valid
non-javascript URLs.

rails#14444
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment