My team and I are finding ourselves a little in the dark about the
“CSRF Protection Bypass in Ruby on Rails” vulnerability that was
announced yesterday -
Where is the complete Advisory? The Impact section is very unclear.
Looking at the comment in the 2.3 patch mentions “Flash animations and
Java applets” - does the whole thing deserve a bit more explaining?
Lines 40-48 in the 2.3 patch changes the CSRF protection to only
allow get requests and requests with the correct form authenticity
token through - is this not going to break stateless web service and
ActiveResource post requests that does not maintain state on the
client side? - line 228 in the 2.3 patch tests that xml requests
should be validated for authenticity token. This is going to break
quite a few things.
Should Rails by default (still) support authenticated stateless
requests (for the sake of web services)? Or should we handle this by
overriding handle_unverified_request (line 31 patch 2.3)?
What am I missing?