Forum: Ruby on Rails "HTTP Parameter Pollution" and Rails

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
72ea925c0ca3d19fdd2f12fa76681624?d=identicon&s=25 Stephan Wehner (stephanwehner)
on 2009-05-21 08:54
Today there was a posting by Stefano di Paola to the Web Security
Mailing List,

  http://www.webappsec.org/lists/websecurity

about "HTTP Parameter Pollution", with a reference to his and Luca
Carettoni   presentation at

  http://www.owasp.org/images/b/ba/AppsecEU09_Carett...

The point is that different web servers/backends behave differently when
handling requests such as

    GET /foo?par1=val1&par1=val2 HTTP/1.1
    User-Agent: Mozilla/5.0
    Host: Host
    Accept: */*


    POST /foo HTTP/1.1
    User-Agent: Mozilla/5.0
    Host: Host
    Accept: */*
    Content-Length: 19
    par1=val1&par1=val2c

The point is that the same key (here par1) occurs with two or more
values. They document both server and client side attacks based on this.

On page 9 the presentation lists many http servers/backends, but not
Rails (instead, the Linksys Wireless-G PTZ Internet Camera is
included:-). I believe Rails falls under "Last occurrence", and I think
that works out well.

In particular, I see Rails handling requests such as

  http://localhost:3000/login?controller=other_contr...

just fine -- the controller/action one expects is invoked (here,
login/index).

However I couldn't find the behaviour with respect to such multiple
key-value assignments, or attempts at overriding the "Rails special"
controller/action  keys, covered in the actionpack unit tests.

Can you make out any security problems?

Stephan
This topic is locked and can not be replied to.