Forum: Rails-ES Fwd: [Hacking] Potential Circumvention of CSRF Protection in Rails 2.1

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
5c15703984caa012845b3cea129da936?d=identicon&s=25 Manuel González Noriega (Guest)
on 2008-11-18 20:32
(Received via mailing list)
Sent to you by Manuel González Noriega via Google Reader:


Potential Circumvention of CSRF Protection in Rails
2.1<http://feeds.feedburner.com/%7Er/RidingRails/%7E3/...
via Riding Rails - home <http://weblog.rubyonrails.com/> by michael on
11/18/08

There is a bug in all 2.1.x versions of Ruby on Rails which affects the
effectiveness of the CSRF protection given by protect_from_forgery.

By design rails does not does not perform token verification on requests
with certain content types not typically generated by browsers.
Unfortunately this list also included 'text/plain' which can be
generated by
browsers.
Impact

Requests can be crafted which will circumvent the CSRF protection
entirely.
Rails does not parse the parameters provided with these requests, but
that
may not be enough to protect your application.
Affected Versions

   - All releases in the 2.1 series
   - All 2.2 Pre Releases

Fixes

The upcoming 2.1.3 and 2.2.2 releases will contain a fix for this issue.
Interim Workarounds

Users of 2.1.x releases are advised to insert the following code into a
file
in config/initializers/

Mime::Type.unverifiable_types.delete(:text)

Users of Edge Rails after 2.2.1, should upgrade to the latest code in
2-2-stable.

The patch for the 2.1.x series is available on
github<http://github.com/rails/rails/commit/099a98e9b7108....
This will also apply cleanly to 2.2 pre-releases prior to this
changeset<http://github.com/rails/rails/commit/f1ad8b48aae3e...
on Thursday November 13th at 11:19:53 2008
CET. Users with edge-rails checkouts after that date, are advised to
upgrade
to the latest code in 2-2-stable.



Things you can do from here:

   - Subscribe to Riding Rails -
home<http://www.google.com/reader/view/feed%2Fhttp%3A%2...
   *Google Reader*
   - Get started using Google
Reader<http://www.google.com/reader/?source=email>to easily keep up
with
   *all your favorite sites*
This topic is locked and can not be replied to.