Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ActiveSupport Message verifier with double slash trouble #27995

Closed
kewogc opened this issue Feb 14, 2017 · 1 comment

Comments

@kewogc
Copy link

commented Feb 14, 2017

Steps to reproduce

# routes.rb
get 'verify/*token'

# generate token
token = MessageVerifier.generate(:user_id=>1111, :recipient_id=>12975875, :email=>"xxxxxxx@xxxx.ru") #=>
 "BAh7CDoMdXNlcl9pZGkCVwQ6EXJlY2lwaWVudF9pZGkDA//FOgplbWFpbEkiFHh4eHh4eHhAeHh4eC5ydQY6BkVU--03d313de249dab9fb0894db3353a2dc24fb65568"

# Send url with token to rails
curl http://localhost:3000/recipients/verify/BAh7CDoMdXNlcl9pZGkC7wk6EXJlY2lwaWVudF9pZGkDA//FOgplbWFpbEkiF2RtcGV0cm92bmFAbWFpbC5ydQY6BkVU--e2c138bb54209f7e31138fa0111d152c7d1c96cd

# Rails server log
Started GET "/verify/BAh7CDoMdXNlcl9pZGkC7wk6EXJlY2lwaWVudF9pZGkDA//FOgplbWFpbEkiF2RtcGV0cm92bmFAbWFpbC5ydQY6BkVU--e2c138bb54209f7e31138fa0111d152c7d1c96cd" for 127.0.0.1 at 2017-02-14 15:44:20 +0700
Processing as HTML
  Parameters: {"token"=>"BAh7CDoMdXNlcl9pZGkC7wk6EXJlY2lwaWVudF9pZGkDA/FOgplbWFpbEkiF2RtcGV0cm92bmFAbWFpbC5ydQY6BkVU--e2c138bb54209f7e31138fa0111d152c7d1c96cd"}

Okey, i think to encode token // -> %2F%2F
But in production, send request to nginx on http

server {
  listen 80;
  server_name localhost;
  location / {
    rewrite ^(.*) https://$host$1 permanent;
  }
  location /.well-known/acme-challenge {
     ...
  }
}

server {
  listen 443;
  server_name localhost;
  ssl on;
  location / {
    proxy_pass            http://rails-app;
    proxy_redirect        off;
  }

Encoding lost after redirect to https. %2F%2F -> "//". Is mandatory normalization in block location on nginx.

May be, is it possible to disable the normalization of slashes on rails?

Expected behavior

"token"=>"BAh7CDoMdXNlcl9pZGkC7wk6EXJlY2lwaWVudF9pZGkDA//FOgplbWFpbEkiF2RtcGV0cm92bmFAbWFpbC5ydQY6BkVU--e2c138bb54209f7e31138fa0111d152c7d1c96cd"

Actual behavior

"token"=>"BAh7CDoMdXNlcl9pZGkC7wk6EXJlY2lwaWVudF9pZGkDA/FOgplbWFpbEkiF2RtcGV0cm92bmFAbWFpbC5ydQY6BkVU--e2c138bb54209f7e31138fa0111d152c7d1c96cd"

System configuration

Rails version: 4.2.5
Ruby version: 2.3.0

@rafaelfranca

This comment has been minimized.

Copy link
Member

commented Feb 14, 2017

The token generated by message verifier is not safe to use used in url as a raw value. You need to encode it in a way that can be safely used in URLs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.