CSRF protection and verify :method


#1

Hi rortalk,

I’ve been looking at my under development site’s exposure to csrf
attacks. While it is a good thing that rails provides request forgery
protection for not-gets, it seems to me that for it to actually be
meaningful you need to take the additional step of restricting the
methods of your actions.

for example, say i have a destroy method in a controller of a restful
app. by convention i invoke this using DELETE, and if i do so, request
forgery protection applies. however, by default it is also possible to
invoke it using GET, unless i explicitly do something like
verify :method => :delete, :only => [ :destroy ]

this is potentially very bad … as an example, attackers could use
something cheesy like a lot of

for 1…99999

on any page to have visiting users destroy all their valuable
documents. obviously similar problems apply in terms of the ability to
invoke update and create using GET without an explicit verify :method.

it seems to me like it would be sensible to provide an option
(possibly a default) to verify that restful resources are accessed
using only the correct http verbs.

one alternative is to have in the ApplicationController:

verify :method => :post, :only => [ :post ]
verify :method => :put, :only => [ :update ]
verify :method => :delete, :only => [ :destroy ]

which seems to work ok … although it breaks the tests for
restful_authentication, apparently (yet to look into it)

thoughts?


#2

On Feb 24, 5:47 am, James S. removed_email_address@domain.invalid wrote:

it seems to me like it would be sensible to provide an option
(possibly a default) to verify that restful resources are accessed
using only the correct http verbs.

one alternative is to have in the ApplicationController:

verify :method => :post, :only => [ :post ]
verify :method => :put, :only => [ :update ]
verify :method => :delete, :only => [ :destroy ]

Or if you delete the default route from routes.rb then you don’t need
this.

Fred


#3

aha. thanks fred

On Feb 24, 7:09 pm, Frederick C. removed_email_address@domain.invalid