Security issue: a user can fill cache with random urls


#1

Say your app responds to : store/show/3 and caching is enable at the
store controller level.

A route says : map.connect ‘store/:action/:id’, :controller => ‘store’

All the following urls will be processed and cached (the cache
filling with ‘page not found’ messages) !

store/foo/bar
store/show/090934298234897342
store/show/090934598234897347
store/show/090934294234897341
store/show/090934298234897343

How can I avoid this ?

Is there a way to disable caching ‘on the fly’, saying to rails :
this page is an error, do not cache it.

Thank you for your help.

Gaspard


#2

Submit a patch ticket. Something like

Index: actionpack/lib/action_controller/caching.rb

— actionpack/lib/action_controller/caching.rb (revision 3716)
+++ actionpack/lib/action_controller/caching.rb (working copy)
@@ -129,6 +129,7 @@
# cache_page “I’m the cached content”, :controller =>
“lists”, :action => “show”
def cache_page(content = nil, options = {})
return unless perform_caching && caching_allowed

  •    return if content.nil? && @response.headers['Status'] &&
    

!(200…300).include?(@response.headers[‘Status’].to_i)
self.class.cache_page(content || @response.body,
url_for(options.merge({ :only_path => true, :skip_relative_url_root =>
true })))
end


Kent


#3

It’s that simple !

Thanks, I didn’t know about the cache_page function.

Gaspard


#4

On 01/03/06, Gaspard B. removed_email_address@domain.invalid wrote:

Say your app responds to : store/show/3 and caching is enable at the
store controller level.
All the following urls will be processed and cached (the cache
filling with ‘page not found’ messages) !
How can I avoid this ?
Is there a way to disable caching ‘on the fly’, saying to rails :
this page is an error, do not cache it.

I conditionally enable page caching for found pages only.

def show
@page = Page.find(param[:id])
if @page
render …
cache_page
else
render error page
end
end