修补Rails 3以修复CSRF保护漏洞
Patch Rails 3 to fix CSRF protection vulnerability
我目前正在做一个使用Rails 3.2的大项目,没有机会转到Rails 4。正如我所知,当您拥有GET请求的JS视图时,Rails3有CSRF保护漏洞。在Rails4中,它是由这个PR修复的。
https://github.com/rails/rails/pull/13345/files
有人知道我如何修补Rails3来修复这个漏洞吗?
您可以对Rails 3.2 ActionController:: RequestForgeryProtection
模块应用完全相同的更改。
# config/initializers/cross_origin_script_tag_protection.rb
module ActionController
class InvalidCrossOriginRequest < ActionControllerError
end
module RequestForgeryProtection
module ClassMethods
def protect_from_forgery(options = {})
self.request_forgery_protection_token ||= :authenticity_token
prepend_before_filter :verify_authenticity_token, options
append_after_action :verify_same_origin_request
end
end
protected
def verify_authenticity_token
@marked_for_same_origin_verification = true
unless verified_request?
logger.warn "WARNING: Can't verify CSRF token authenticity" if logger
handle_unverified_request
end
end
CROSS_ORIGIN_JAVASCRIPT_WARNING = "Security warning: an embedded " '
"<script> tag on another site requested protected JavaScript. " '
"If you know what you're doing, go ahead and disable forgery " '
"protection on this action to permit cross-origin JavaScript embedding."
private_constant :CROSS_ORIGIN_JAVASCRIPT_WARNING
# If `verify_authenticity_token` was run (indicating that we have
# forgery protection enabled for this request) then also verify that
# we aren't serving an unauthorized cross-origin response.
def verify_same_origin_request
if marked_for_same_origin_verification? && non_xhr_javascript_response?
logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
end
end
# If the `verify_authenticity_token` before_action ran, verify that
# JavaScript responses are only served to same-origin GET requests.
def marked_for_same_origin_verification?
defined? @marked_for_same_origin_verification
end
# Check for cross-origin JavaScript responses.
def non_xhr_javascript_response?
content_type =~ %r('Atext/javascript) && !request.xhr?
end
end
end
请告诉我它是否适合你。
相关文章:
- JS表单提交"无法使用Chrome数据保护程序加载此页面.尝试重新加载页面.调试信息:POST CISmtuK
- Django: AJAX + CSRF POST gives 403
- 元标记中使用令牌的 CSRF 保护 - 为什么它不能被盗
- 修补Rails 3以修复CSRF保护漏洞
- 提交Javascript表单时出现Codeigniter csrf保护错误
- 如何设置会话 Cookie 以保护和使用 CSRF 令牌
- spring CSRF保护一个HTML *仅*登录页面
- 如何在javascript中创建的表单中添加CSRF保护
- 不理解django的CSRF保护是如何工作的
- 如何保护浏览器使用的RESTful API免受CSRF攻击
- 移动设备上的CSRF保护(在cordova中运行)
- 如何在javascript中对带有CSRF保护的django框架进行适当的ajax调用
- 当尝试用ajax上传文件时,CSRF保护总是失败
- 如何用包含csrf保护的js生成link_to等价
- 针对GET请求的CSRF保护
- 保护奥蕾莉亚免受CSRF攻击
- 我是否需要启用 CSRF 保护
- Struts2令牌拦截器:CSRF保护
- 使用javascript进行CSRF保护
- SPA中刷新令牌Cookie的CSRF保护