2
我目前正在使用Rails 3.2的大项目,并且没有机会转移到Rails 4.据我所知,当您拥有JS视图时,Rails 3具有CSRF保护漏洞,这是由GET请求的。 在Rails 4中,它由此PR进行修复。Patch Rails 3修复CSRF保护漏洞
https://github.com/rails/rails/pull/13345/files
有谁知道我怎样才能修补Rails 3中修复此漏洞?
A
回答
1
您可以将完全相同的更改应用于Rails 3.2 ActionController:: RequestForgeryProtection模块。
# config/initializers/cross_origin_script_tag_protection.rb
module ActionController
class InvalidCrossOriginRequest < ActionControllerError
end
module RequestForgeryProtection
module ClassMethods
def protect_from_forgery(options = {})
self.request_forgery_protection_token ||= :authenticity_token
prepend_before_filter :verify_authenticity_token, options
append_after_action :verify_same_origin_request
end
end
protected
def verify_authenticity_token
@marked_for_same_origin_verification = true
unless verified_request?
logger.warn "WARNING: Can't verify CSRF token authenticity" if logger
handle_unverified_request
end
end
CROSS_ORIGIN_JAVASCRIPT_WARNING = "Security warning: an embedded " \
"<script> tag on another site requested protected JavaScript. " \
"If you know what you're doing, go ahead and disable forgery " \
"protection on this action to permit cross-origin JavaScript embedding."
private_constant :CROSS_ORIGIN_JAVASCRIPT_WARNING
# If `verify_authenticity_token` was run (indicating that we have
# forgery protection enabled for this request) then also verify that
# we aren't serving an unauthorized cross-origin response.
def verify_same_origin_request
if marked_for_same_origin_verification? && non_xhr_javascript_response?
logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
end
end
# If the `verify_authenticity_token` before_action ran, verify that
# JavaScript responses are only served to same-origin GET requests.
def marked_for_same_origin_verification?
defined? @marked_for_same_origin_verification
end
# Check for cross-origin JavaScript responses.
def non_xhr_javascript_response?
content_type =~ %r(\Atext/javascript) && !request.xhr?
end
end
end
请让我知道它是否适合您。
相关问题
- 1. CSRF漏洞/ cookies问题
- 2. AngularJS JSON漏洞保护如何工作?
- 3. 使用PATCH方法的潜在漏洞
- 4. 如何修复片段注入漏洞
- 5. ASP.NET 4.0会话修复漏洞利用
- 6. 修复片段注入漏洞
- 7. API CSRF保护
- 8. Phoenix和CSRF的CSRF保护
- 9. Keycloak帐户服务中的CSRF漏洞
- 10. Rails CSRF保护如何工作?
- 11. 我如何修补一个Rails 2.1项目以修复新的漏洞
- 12. 轨,OAuth的,和CSRF保护
- 13. Spark Framework CSRF保护
- 14. php csrf保护库
- 15. CSRF保护与JavaScript?
- 16. Codeigniter AJAX CSRF保护
- 17. 防止CSRF漏洞,CSRF的替代方法令牌
- 18. 使用express JS的JSON漏洞防护
- 19. 如何保护.NET Web服务免受XXE漏洞攻击?
- 20. Tomcat中的CSRF保护
- 21. reactjs/redux + django CSRF保护
- 22. 使用Symfony CSRF保护
- 23. Zend表格+ csrf保护
- 24. 春季安全CSRF保护
- 25. Rest API中的CSRF保护
- 26. IdentityServer4中的CSRF保护
- 27. 如何使用Apache Cordova漏洞修复应用程序?
- 28. 修复web应用程序的antiClickJacking漏洞
- 29. 如何修复Debian 6.0(Squeeze)上的Shellshock漏洞?
- 30. 使用attr_accessible和attr_protected修复安全漏洞有哪些风险?
当我将'append_after_action:verify_same_origin_request'更改为'append_after_filter:verify_same_origin_request'时,它为我工作。 – 2015-03-05 22:20:54