Forum: Ruby on Rails Is this a necessary precaution?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Anonymous (Guest)
on 2007-03-09 02:49
If I'm not mistaken, a user can send POST data from outside of a web
browser; I think this is something that is done to brute-force form
logins, or to automate spam, etc.

In my app, which operates like a forum, Comment objects have a boolean
attribute "sticky" which determines if that Comment is displayed before
all other comments.

I was thinking, what would happen if a user forcefully sent "sticky =>
true" in POST data?  I would imagine my app's new_comment action would
simply create a new object from that data and falsely make his or her
post a sticky-post.  Is this a possibility, and is it something I should
be trying to prevent?  Just something I recently pondered.
James S. (Guest)
on 2007-03-09 03:28
(Received via mailing list)
On Mar 8, 2007, at 7:49 PM, Anonymous wrote:
> If I'm not mistaken, a user can send POST data from outside of a web
> browser; I think this is something that is done to brute-force form
> logins, or to automate spam, etc.

Yes, and often for testing.

> be trying to prevent?  Just something I recently pondered.
That is a danger if you're doing something like:

MyModel.create(params[:my_model])

without checking the param values .

You probably want to take a look at the attr_protected method:

http://rails.rubyonrails.org/classes/ActiveRecord/...

James.

--
James S.
Play: http://james.anthropiccollective.org
Work: http://jystewart.net/process/
Eden L. (Guest)
on 2007-03-09 03:47
(Received via mailing list)
Yes, this is the reason for captchas and user-logins.  You should be
actively thinking about how people can attack your app from both
within and without a web browser.

If you're allowing your objects to be modified via POSTs, you should
probably authenticate the call first.  You have some sort of login
system, right?
Anonymous (Guest)
on 2007-03-09 03:50
Ah okay, I was right.

I was preventing it by: self[:sticky] = nil during before_create.  I was
previously unaware of attr_protected which is obviously a much cleaner
solution.  Thanks.

> Yes, and often for testing.
Sigh.  One day I'll actually learn how to do this.  I don't know why
I've allowed myself to go so long without.
Nelson Hsu (Guest)
on 2007-03-09 04:27
You might want to check out this link[1] as well.  It cautions about
your very problem, and has a few other precautions you can take to
harden your application.

Nelson

[1] http://manuals.rubyonrails.com/read/book/8


Anonymous wrote:
> Ah okay, I was right.
>
> I was preventing it by: self[:sticky] = nil during before_create.  I was
> previously unaware of attr_protected which is obviously a much cleaner
> solution.  Thanks.
>
>> Yes, and often for testing.
> Sigh.  One day I'll actually learn how to do this.  I don't know why
> I've allowed myself to go so long without.
This topic is locked and can not be replied to.