Forum: Ruby on Rails Security issue: a user can fill cache with random urls

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
2833d3022fcd6671d3293fdb1625a5fd?d=identicon&s=25 Gaspard Bucher (Guest)
on 2006-03-01 15:43
(Received via mailing list)
Say your app responds to : store/show/3 and caching is enable at the
store controller level.

A route says : map.connect 'store/:action/:id', :controller => 'store'


All the following urls will be processed and cached (the cache
filling with 'page not found' messages) !

store/foo/bar
store/show/090934298234897342
store/show/090934598234897347
store/show/090934294234897341
store/show/090934298234897343
...

How can I avoid this ?

Is there a way to disable caching 'on the fly', saying to rails :
this page is an error, do not cache it.

Thank you for your help.

Gaspard
3ccecc71b9fb0a3d7f00a0bef6f0a63a?d=identicon&s=25 Kent Sibilev (Guest)
on 2006-03-01 17:11
(Received via mailing list)
Submit a patch ticket. Something like

Index: actionpack/lib/action_controller/caching.rb
===================================================================
--- actionpack/lib/action_controller/caching.rb (revision 3716)
+++ actionpack/lib/action_controller/caching.rb (working copy)
@@ -129,6 +129,7 @@
       #   cache_page "I'm the cached content", :controller =>
"lists", :action => "show"
       def cache_page(content = nil, options = {})
         return unless perform_caching && caching_allowed
+        return if content.nil? && @response.headers['Status'] &&
!(200...300).include?(@response.headers['Status'].to_i)
         self.class.cache_page(content || @response.body,
url_for(options.merge({ :only_path => true, :skip_relative_url_root =>
true })))
       end


--
Kent
6578456ff00ab3520b1fe684bc572b45?d=identicon&s=25 Łukasz Piestrzeniewicz (Guest)
on 2006-03-01 17:18
(Received via mailing list)
On 01/03/06, Gaspard Bucher <g.bucher@teti.ch> wrote:
> Say your app responds to : store/show/3 and caching is enable at the
> store controller level.
> All the following urls will be processed and cached (the cache
> filling with 'page not found' messages) !
> How can I avoid this ?
> Is there a way to disable caching 'on the fly', saying to rails :
> this page is an error, do not cache it.

I conditionally enable page caching for found pages only.

def show
  @page = Page.find(param[:id])
  if @page
    render ...
    cache_page
  else
    render error page
  end
end
2833d3022fcd6671d3293fdb1625a5fd?d=identicon&s=25 Gaspard Bucher (Guest)
on 2006-03-01 17:20
(Received via mailing list)
It's that simple !

Thanks, I didn't know about the cache_page function.

Gaspard
This topic is locked and can not be replied to.