Rails 请求伪造保护设置
请帮助 Rails 新手:) 我有 protect_from_forgery 调用(默认情况下给出),但我的 ApplicationController 类中没有属性。
基本上代码如下:
class ApplicationController < ActionController::Base
helper :all # include all helpers, all the time
protect_from_forgery
helper_method :current_user_session, :current_user
filter_parameter_logging :password, :password_confirmation
我认为它应该做的是:它应该阻止任何没有正确 authenticity_token 的 POST 请求。但是当我像下面这样用 jQuery 发送 post 请求时,它工作正常(有在数据库中执行的更新语句)!
$.post($(this).attr("href"), { _method: "PUT", data: { test: true } });
我在控制台中看到发送的参数中没有 authenticity_token ,但请求仍然被认为是有效的。这是为什么?
UPD 在 config/environments/development.rb 中找到配置设置
config.action_controller.consider_all_requests_local = true
由于 DEV 环境和本地请求,这些 jQuery post 请求没问题。
please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class.
Basically here's the code:
class ApplicationController < ActionController::Base
helper :all # include all helpers, all the time
protect_from_forgery
helper_method :current_user_session, :current_user
filter_parameter_logging :password, :password_confirmation
What I assume it should do is: it should prevent any POST requests without correct authenticity_token. But when I send post request with jQuery like the one below, it works fine (there's update statement that is executed in the database)!
$.post($(this).attr("href"), { _method: "PUT", data: { test: true } });
I see in console that there's no authenticity_token among sent parameters, but request is still considered valid. Why is that?
UPD
Found config setting in config/environments/development.rb
config.action_controller.consider_all_requests_local = true
Because of the DEV environment and local requests, these jQuery post requests were OK.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
只要请求
$.post($(this).attr("href"), { _method: "PUT", data: { test: true } }); 从应用程序本身内部执行。如果您有另一个应用程序在其他地方运行,例如在 localhost:3001 上,并且您从那里发送了帖子,那么它将无法工作。事实上,如果您使用的是 Firefox > 3.0 也有跨站点 xhr 的早期实现。例如,您可以从任何其他站点发送 POST(但前提是 protected_from_forgery 已关闭!)。 xhr 不需要 auth token 的原因是跨站点 xhr 被禁用。因此,在不提供身份验证令牌的情况下使用 xhr 是安全的。如果您从应用程序以外的任何其他地方尝试,我确信它会引发异常,要求身份验证令牌。此外,您还应该定义一个 crossdomain.xml 以防止来自外部源的访问。尝试执行以下操作:
curl -X -d url_endpoint_of_your_app。查看是否收到 200 响应代码。如果你这样做了,那就有些可疑了。There is nothing wrong with your code as long as the request
$.post($(this).attr("href"), { _method: "PUT", data: { test: true } });is executed from within the app itself. If you had another app running elsewhere, say for example on localhost:3001, and you sent a post from there then it won't work. Infact if you are on firefox > 3.0 it has an early implementation of cross site xhr too. For example you can send a POST from any other site (but this works provided protect_from_forgery is turned off!). The reason why auth token is not necessary for xhr is that cross site xhr is disabled. So it is safe to use xhr without providing auth token. If you try from any where else other than your app, i am sure it will raise an exception asking for an auth token. Also you should have a crossdomain.xml defined to prevent access from outside sources.Try doing this:
curl -X -d url_endpoint_of_your_app. See if you get a 200 response code. If you do then there is something fishy.也许是个愚蠢的问题:您确定要继承 ApplicationController 吗?你的路线图是什么样的? Rails 的版本是什么(为了清楚起见)?
您是否验证了来自 jQuery 的调用实际上是 POST 而不是 GET? (我知道,这似乎很明显)。 Rails 只会对非 GET 请求执行保护。
另外,发出的请求的内容类型是什么。根据文档,Rails 也只会执行保护,如果它是HTML/Javascript 请求。
Silly question, perhaps: Are you sure you're subclassing ApplicationController? What's your route map look like? And what version of Rails (just for clarity)?
Did you verify that the call from jQuery is actually a POST and not a GET? (I know, it seems obvious). Rails will only perform the protection on non-GET requests.
Also, what is the content-type of the request that's going out. Rails will also only perform the protection, according to the docs, if it's an HTML/Javascript request.