Sent to you by Manuel GonzÃ¡lez Noriega via Google Reader:
Potential Circumvention of CSRF Protection in Rails
via Riding Rails - home http://weblog.rubyonrails.com/ by michael on
There is a bug in all 2.1.x versions of Ruby on Rails which affects the
effectiveness of the CSRF protection given by protect_from_forgery.
By design rails does not does not perform token verification on requests
with certain content types not typically generated by browsers.
Unfortunately this list also included ‘text/plain’ which can be
Requests can be crafted which will circumvent the CSRF protection
Rails does not parse the parameters provided with these requests, but
may not be enough to protect your application.
- All releases in the 2.1 series
- All 2.2 Pre Releases
The upcoming 2.1.3 and 2.2.2 releases will contain a fix for this issue.
Users of 2.1.x releases are advised to insert the following code into a
Users of Edge Rails after 2.2.1, should upgrade to the latest code in
The patch for the 2.1.x series is available on
This will also apply cleanly to 2.2 pre-releases prior to this
on Thursday November 13th at 11:19:53 2008
CET. Users with edge-rails checkouts after that date, are advised to
to the latest code in 2-2-stable.
Things you can do from here:
- Subscribe to Riding Rails -
- Get started using Google
Readerhttp://www.google.com/reader/?source=emailto easily keep up
all your favorite sites