Page_attachments / :secret / #protect_from_forgery error


#1

Hi -

I am haunted by this :secret / #protect_from_forgery /
form_authenticity_token error that seems to stop me every few months.
Luckily it has been in remission for a few months. I just had a few
hours to finish this site and whammo! Up pops this much feared error.

The cause is that I installed attachment_fu and page_attachments into my
Radiant app. The installs went smoothly until I tried to edit a page.
Then I got this error:


ActionController::InvalidAuthenticityToken in Admin/page#edit

Showing vendor/extensions/page_attachments/app/views/admin
/page/_attachments_box.html.erb where line #7 raised:

No :secret given to the #protect_from_forgery call. Set that or use
a session store capable of generating its own keys (Cookie Session
Store).

I’m using Active Record Session Store and I don’t much care for Cookie
session store because it limits what I can stick in the session. I have
a :secret defined in my environment.rb and I also have

config.action_controller.allow_forgery_protection = false

in there. Could somebody tell me how to fix this or point me to
resources to learn about the forgery protection stuff?

(In the mean time I’m googling this topic)

Thank you.

Steve


#2

This link appears that it will help. I would prefer to build sites
without learning anything but sometimes I am forced.

http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html


#3

Geez, I don’t know what just happened here, but I stuck this line of
code in some obscure file I didn’t even know existed and it fixed my
problem.

I stuck this line of code:

protect_from_forgery :secret =>
‘asdfqwexxcoivswhallelujah!yippee!fqewwel’, :except => :index

into my

radiant-0.6.9/app/controllers/admin/page_controller.rb

and the error went away.


#4

For some reason, the CSRF protections in Rails require that if you use
:active_record_store for sessions, the key given in your config setting
must be equivalent to the key given in the call to protect_from_forgery
in the controller. One way around this might be to add an
after_initialize block like so:

config.after_initialize do
ActionController::Base.request_forgery_protection_options.update
:secret => ‘putyourreallylongsha1hashkeyhere’
end

Sean


#5

It seems Rails just patched a CSRF vulnerability yesterday.

http://weblog.rubyonrails.com/2008/11/18/potential-circumvention-of-csrf-pro
tection-in-rails-2-1

Victor

On 11/18/08 11:41 PM, “Sean C.” removed_email_address@domain.invalid wrote:

‘asdfqwexxcoivswhallelujah!yippee!fqewwel’, :except => :index
Radiant mailing list
Post: removed_email_address@domain.invalid
Search: http://radiantcms.org/mailing-list/search/
Site: http://lists.radiantcms.org/mailman/listinfo/radiant

Victor Zuniga
Westerville Public Library
126 S. State St. | Westerville, OH 43081
Phone: 614.882.7277 | ext 165