has_many :bugs, :through => :rails

If you google for csrf attacks, you’ll find plenty of articles. But just for fun, here’s a simplest example : http://rubyurl.com/Liu Copy/Paste the link in a new window ( Don’t do it if you hate me/twitter )

Thanks to Rick, rails now has in built protection against such attacks, which is turned on by default for all new rails applications.

Here are some steps to make use of it for your existing rails application :

• Add protect_from_forgery in your application.rb

1
2
3
4

class ApplicationController < ActionController::Base
  protect_from_forgery # Add :secret => 'some cryptic string' if not using cookie sessions
  # All your existing stuff
end

• Turn off csrf protection in your test environment, unless you have time/energy/reasons to add csrf token to all your functional/integration tests that use post/put/delete methods.

To do so, add following in your test.rb environment file

1
2

# All your existing stuff
config.action_controller.allow_forgery_protection  = false

• If you have cached any pages containing forms/buttons/links using post/put/delete method, make sure you clear your cache.

That’s all folks!

After coming across Ticket 8864 I tried to play around a bit more with link tags. And guess what, they’re more broken than I ever thought. And it’s not just rails, but firefox too.

1
2
3
4
5
6

<html>
<head><title>Seriously, wtf !?</head>
<body>
  <href onMouseover="alert(document.location)">whatever
</body>
</html>

This actually work in Firefox. But it looks fine(blank) in Safari/IE ( No I don’t use Windows. I asked a friend to check it. )

Result ? Applications that depend on strip_links() for stripping link tags are open to XSS attacks.

I feel this is a critical issue in firefox and it’s not just related to rails. And in very special cases, it could be really risky.

I’ve submitted my modified version of strip_links() patch anyways.

Wait and watch.