Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #7910 (closed enhancement: fixed)

Opened 1 year ago

Last modified 1 year ago

[PATCH] Adds automatic removal of security delimiters

Reported by: Tobie Assigned to: sam
Priority: normal Milestone: 1.x
Component: Prototype Version: edge
Severity: normal Keywords: 1.5.1 discuss
Cc:

Description

Adds a String#removeSecurityDelimiters method, which is called before eval (for JSON data, RJS, etc.).

Adds a Prototype.SecurityDelimiterPattern property to adapt more easily to whatever is used on the server.

Better names for both are welcomed - I'm really lacking imagination this evening.

Attachments

secureJSON.diff (2.5 kB) - added by Tobie on 03/26/07 01:55:52.
still without String#removeSecurityDelimiter

Change History

03/26/07 01:55:52 changed by Tobie

  • attachment secureJSON.diff added.

still without String#removeSecurityDelimiter

04/04/07 08:27:01 changed by mislav

130 byte solution

04/04/07 09:37:34 changed by Tobie

If I'm not mistakening, the 130 byte solution doesn't solve this security concern at all as the attacker relies on auto evaluation of the content using the dynamic script tag technique.

04/04/07 09:43:47 changed by Tobie

The purpose of the security delimiters is just enforces SOP in that case (i.e. it makes the content inaccessible by any other means than an Ajax request).

04/24/07 05:45:26 changed by Tobie

  • status changed from new to closed.
  • resolution set to fixed.

fixed in [6556]