Forum: Ruby on Rails Is this a necessary precaution?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
E5a65ac532873648156265207f93589f?d=identicon&s=25 Anonymous (Guest)
on 2007-03-09 01:49
If I'm not mistaken, a user can send POST data from outside of a web
browser; I think this is something that is done to brute-force form
logins, or to automate spam, etc.

In my app, which operates like a forum, Comment objects have a boolean
attribute "sticky" which determines if that Comment is displayed before
all other comments.

I was thinking, what would happen if a user forcefully sent "sticky =>
true" in POST data?  I would imagine my app's new_comment action would
simply create a new object from that data and falsely make his or her
post a sticky-post.  Is this a possibility, and is it something I should
be trying to prevent?  Just something I recently pondered.
4715ae8a9ac5152600ccd3012267ab6b?d=identicon&s=25 James Stewart (Guest)
on 2007-03-09 02:28
(Received via mailing list)
On Mar 8, 2007, at 7:49 PM, Anonymous wrote:
> If I'm not mistaken, a user can send POST data from outside of a web
> browser; I think this is something that is done to brute-force form
> logins, or to automate spam, etc.

Yes, and often for testing.

> be trying to prevent?  Just something I recently pondered.
That is a danger if you're doing something like:

MyModel.create(params[:my_model])

without checking the param values .

You probably want to take a look at the attr_protected method:

http://rails.rubyonrails.org/classes/ActiveRecord/...

James.

--
James Stewart
Play: http://james.anthropiccollective.org
Work: http://jystewart.net/process/
8bc543795b502900b5333aea73ad5533?d=identicon&s=25 Eden Li (edenli)
on 2007-03-09 02:47
(Received via mailing list)
Yes, this is the reason for captchas and user-logins.  You should be
actively thinking about how people can attack your app from both
within and without a web browser.

If you're allowing your objects to be modified via POSTs, you should
probably authenticate the call first.  You have some sort of login
system, right?
E5a65ac532873648156265207f93589f?d=identicon&s=25 Anonymous (Guest)
on 2007-03-09 02:50
Ah okay, I was right.

I was preventing it by: self[:sticky] = nil during before_create.  I was
previously unaware of attr_protected which is obviously a much cleaner
solution.  Thanks.

> Yes, and often for testing.
Sigh.  One day I'll actually learn how to do this.  I don't know why
I've allowed myself to go so long without.
64c21a5a5a058d429577158cf736bc6c?d=identicon&s=25 Nelson Hsu (Guest)
on 2007-03-09 03:27
You might want to check out this link[1] as well.  It cautions about
your very problem, and has a few other precautions you can take to
harden your application.

Nelson

[1] http://manuals.rubyonrails.com/read/book/8


Anonymous wrote:
> Ah okay, I was right.
>
> I was preventing it by: self[:sticky] = nil during before_create.  I was
> previously unaware of attr_protected which is obviously a much cleaner
> solution.  Thanks.
>
>> Yes, and often for testing.
> Sigh.  One day I'll actually learn how to do this.  I don't know why
> I've allowed myself to go so long without.
This topic is locked and can not be replied to.