Is this a necessary precaution?


#1

If I’m not mistaken, a user can send POST data from outside of a web
browser; I think this is something that is done to brute-force form
logins, or to automate spam, etc.

In my app, which operates like a forum, Comment objects have a boolean
attribute “sticky” which determines if that Comment is displayed before
all other comments.

I was thinking, what would happen if a user forcefully sent “sticky =>
true” in POST data? I would imagine my app’s new_comment action would
simply create a new object from that data and falsely make his or her
post a sticky-post. Is this a possibility, and is it something I should
be trying to prevent? Just something I recently pondered.


#2

On Mar 8, 2007, at 7:49 PM, Anonymous wrote:

If I’m not mistaken, a user can send POST data from outside of a web
browser; I think this is something that is done to brute-force form
logins, or to automate spam, etc.

Yes, and often for testing.

be trying to prevent? Just something I recently pondered.
That is a danger if you’re doing something like:

MyModel.create(params[:my_model])

without checking the param values .

You probably want to take a look at the attr_protected method:

http://rails.rubyonrails.org/classes/ActiveRecord/Base.html#M001005

James.


James S.
Play: http://james.anthropiccollective.org
Work: http://jystewart.net/process/


#3

Yes, this is the reason for captchas and user-logins. You should be
actively thinking about how people can attack your app from both
within and without a web browser.

If you’re allowing your objects to be modified via POSTs, you should
probably authenticate the call first. You have some sort of login
system, right?


#4

Ah okay, I was right.

I was preventing it by: self[:sticky] = nil during before_create. I was
previously unaware of attr_protected which is obviously a much cleaner
solution. Thanks.

Yes, and often for testing.
Sigh. One day I’ll actually learn how to do this. I don’t know why
I’ve allowed myself to go so long without.


#5

You might want to check out this link[1] as well. It cautions about
your very problem, and has a few other precautions you can take to
harden your application.

Nelson

[1] http://manuals.rubyonrails.com/read/book/8

Anonymous wrote:

Ah okay, I was right.

I was preventing it by: self[:sticky] = nil during before_create. I was
previously unaware of attr_protected which is obviously a much cleaner
solution. Thanks.

Yes, and often for testing.
Sigh. One day I’ll actually learn how to do this. I don’t know why
I’ve allowed myself to go so long without.