Security: Block <img ... /> tags when sanitizing

A whole class of CSRF attacks uses the img tag: <img src="/admin/account/action_that_allows_get" /> This will invoke action_that_allows_get using a GET request and first- party cookies. There are some examples on Wikipedia: http://en.wikipedia.org/wiki/Cross-site_request_forgery Note that really solid enforcement of the "use GET only for queries" rule will also prevent this kind of attack. Also note that if you allow third-party cookies, this patch doesn't help you at all--any other site on the Internet could trigger this attack.
technoweenie · Dec 20, 2008 · a644733 · a644733
1 parent c8c4bcc
commit a644733
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/RAILS-2.2-TODO.txt b/RAILS-2.2-TODO.txt
@@ -35,7 +35,7 @@ X   Can we restrict admin cookies to /admin ? No--need /accounts, too.
     Detect mass assignment failures in unit tests
 /   Review mass assignment in public controllers - comments
 /   Check regexes for ^ and $
-    Filter IMG tags
+/   Filter IMG tags
     Block database updates on POST requests
     Review http://guides.rubyonrails.org/security.html again
 

diff --git a/config/environment.rb b/config/environment.rb
@@ -66,8 +66,13 @@ def safe_to_load_application?
     config.active_record.observers = [:article_observer, :comment_observer]
   end
 
-  # Allow table tags in untrusted HTML.
+  # Allow table tags in untrusted HTML, but block img tags to prevent
+  # SRC attributes from being used in CSRF attacks.
   config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']
+  config.after_initialize do
+    ActionView::Base.sanitized_allowed_tags.delete 'img'
+    ActionView::Base.sanitized_allowed_attributes.delete 'src'
+  end
 
   # We're slowly moving the contents of vendor and vender/plugins into
   # vendor/gems by adding config.gem declarations.