Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #11071 (new defect)

Opened 5 months ago

Last modified 2 months ago

[PATCH] Globally fix CSRF for ajax requests by double submiting cookies

Reported by: zsombor Assigned to: core
Priority: normal Milestone: 2.x
Component: ActionPack Version: edge
Severity: normal Keywords:
Cc: sergio@entrecables.com, erkki@itech.ee, jarkko@jlaine.net, jonathan.weiss@peritor.com

Description

Currently CSRF protection relies on the presence of an authentication token, this must be passed with all requests to enjoy the benefits. This is makes hand written Ajax.Request calls difficult to code, you'll have to pass auth_token but you only don't know this at javascript source file level. Workarounds exists like storing the auth_token in a JS variable on page load than manually passing this in to ever Ajax Request call you'll write. Sounds fishy and it is.

I propose instead changing the protoype.js code to double submit all cookies in a _cookie parameter added automatically to every ajax request. Due to browser security rules only valid JS code would be able to read the cookies and send the _cookie along. At rails level we would check if the cookie arriving via the parameter hash matches the one we got from the browser via HTTP_COOKIE. If yes request is certainly valid even if the auth token is not present. This effectively fixes the CSRF problem for Ajax requests in globally whilst lifting the requirement of manual auth_token passing away.

Just have to see the path taken by current rails helpers generating JS code and be amazed how many times this auth_token appears. Tickets #10700, #10059, #10055 and #9731 are all about this.

Attached patch adds this feature, solving all of the above tickets. In a second step we could remove the auth_token parameter from all code generated by link_to_remote, form_remote_for etc.

Attachments

double_submit.patch (5.8 kB) - added by zsombor on 02/10/08 19:52:45.
Double submit cookies for CSRF protection

Change History

02/10/08 19:52:45 changed by zsombor

  • attachment double_submit.patch added.

Double submit cookies for CSRF protection

02/11/08 17:40:33 changed by kampers

  • milestone changed from 2.1 to 2.x.

02/11/08 22:17:22 changed by sergiocambra

  • cc set to sergio@entrecables.com.

03/19/08 14:13:48 changed by Erkki

  • cc changed from sergio@entrecables.com to sergio@entrecables.com, erkki@itech.ee.

03/19/08 14:27:40 changed by jarkko

  • cc changed from sergio@entrecables.com, erkki@itech.ee to sergio@entrecables.com, erkki@itech.ee, jarkko@jlaine.net.

03/20/08 09:31:53 changed by jw

  • cc changed from sergio@entrecables.com, erkki@itech.ee, jarkko@jlaine.net to sergio@entrecables.com, erkki@itech.ee, jarkko@jlaine.net, jonathan.weiss@peritor.com.

05/01/08 17:06:32 changed by etlund

This patch did not resolve my issue of InvalidAuthenticityToken error with in_place_editing. I'm on Rails 2.0.2 and I only tested this with the 'in_place_editing' plugin (I didn't try any other kinds of Ajax request)

The patch for ticket #10055 did work to solve my problem with 'in_place_editing' and the InvalidAuthenticityToken error.

05/01/08 20:05:11 changed by zsombor

Did you update the prototype.js also when doing your test? I.e. you have to copy the prototype.js file into out of the vendor dir and into your apps pub. Otherwise it will not work.

05/01/08 20:32:02 changed by etlund

Yes, I did that (copied the patched prototype.js to my javascripts folder.) I also verified that the additional params were added to the post request (&_cookie=_myapp_sessionblahblahblah) but still no joy. I also restarted the server.

FYI, both request_forgery_protection_test.rb and cookie_store_test.rb both run with no errors.

Any other details I can provide?

05/02/08 07:03:40 changed by zsombor

Odd as it works in production at rentomatic.com. Either the plugin itself is flawed, or the patch is old and needs updating against newest rails code.