CSRF 无法在 Rails 中工作?
如果我创建一个全新的 Rails 应用程序(使用 Rails 3.0.9)并快速构建一些脚手架,如下所示:
$ rails new testing
$ rails g scaffold thing name:string
然后 app/controllers/application_controller.rb 默认包含“protect_from_forgery”,因此它应该在发布创建。至少,这是我的理解。
那么为什么这一行在不提供令牌的情况下成功创建了一个新事物。
$ curl -F "thing[name]=abc123" http://localhost:3000/things
日志条目显示:
Started POST "/things" for 127.0.0.1 at 2011-07-05 08:29:18 +0100
Processing by ThingsController#create as
Parameters: {"thing"=>{"name"=>"abc123"}}
AREL (0.3ms) INSERT INTO "things" ("name", "created_at", "updated_at") VALUES ('abc123', '2011-07-05 07:29:18.484457', '2011-07-05 07:29:18.484457')
Redirected to http://localhost:3000/things/18
Completed 302 Found in 89ms
我也可以这样做来删除记录:
$ curl -X DELETE http://localhost:3000/things/18
在生产模式下也会发生同样的事情。这不会让我的申请对 CSRF 开放吗?
If I create a brand new Rails application (using Rails 3.0.9) and knock up a quick bit of scaffolding as follows:
$ rails new testing
$ rails g scaffold thing name:string
Then app/controllers/application_controller.rb contains a "protect_from_forgery" by default, so it should check the authenticity_token during a POST create. At least, that's my understanding.
Why then, does this line successfully create a new Thing, without supplying the token.
$ curl -F "thing[name]=abc123" http://localhost:3000/things
The log entry says:
Started POST "/things" for 127.0.0.1 at 2011-07-05 08:29:18 +0100
Processing by ThingsController#create as
Parameters: {"thing"=>{"name"=>"abc123"}}
AREL (0.3ms) INSERT INTO "things" ("name", "created_at", "updated_at") VALUES ('abc123', '2011-07-05 07:29:18.484457', '2011-07-05 07:29:18.484457')
Redirected to http://localhost:3000/things/18
Completed 302 Found in 89ms
I can also do this to delete records:
$ curl -X DELETE http://localhost:3000/things/18
The same thing happens in production mode. Doesn't this leave my application open to CSRF?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您传递无效的 CSRF 令牌或在没有它的情况下发送请求,Rails 将使会话无效,因此如果您的应用程序可以被所有人访问,则
protect_form_forgery毫无用处。但如果您有基于会话的身份验证系统,它将使您的应用程序免受 CSRF 攻击。
详细信息:Rails CSRF 保护如何工作?
If you pass invalid CSRF token or send request without it, Rails will nullify session, so
protect_form_forgeryis useless if your application could be accessed by everyone.But it will save your application from CSRF attack if you have session-based authentication system.
More info: How does Rails CSRF protection work?