Ajax DELETE accepted without authenticity_token
Reported by Lawrence Pit | August 11th, 2008 @ 02:34 AM | in 2.x
Using prototype 1.6.0.2 with emulateUncommonMethods=false (option of prototype's Ajax.Request), sending an Ajax DELETE request without including an authenticity_token is accepted by rails, and deletes the resource.
Is this a security risk cq a bug?
For example:
The client side (in firebug) reports this:
@@@ruby DELETE http://localhost:3000/tasks/35
Request Headers: Host localhost User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1 Accept application/json, / Accept-Language en-us,en;q=0.5 Accept-Encoding gzip,deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive 300 Connection keep-alive X-Requested-With XMLHttpRequest X-Prototype-Version 1.6.0.2 Referer http://localhost/tasks Content-Length 0 Content-Type application/xml; charset=UTF-8 Cookie _server_session=BAh7BzoMY3NyZl9pZCIlMWMwMWM0NTkxMWRhMDlmYzEyMzUyNTczMjY3OTUx%0ANzkiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%0Ac2h7AAY6CkB1c2VkewA%3D--b2a09d4327f903448d3ddfd252fee1ed9fa63f65
Response Headers: Date Mon, 11 Aug 2008 01:26:45 GMT Server Mongrel 1.1.5 Status 200 OK X-Runtime 0.00930 Etag "7215ee9c7d9dc229d2921a40e899ec5f" Cache-Control private, max-age=0, must-revalidate Content-Type application/json; charset=utf-8 Content-Length 1 Keep-Alive timeout=5, max=58 Connection Keep-Alive
The server side reports this:
@@@ruby
Processing TasksController#destroy (for 127.0.0.1 at 2008-08-11 11:26:45) [DELETE]
Session ID: BAh7BzoMY3NyZl9pZCIlMWMwMWM0NTkxMWRhMDlmYzEyMzUyNTczMjY3OTUx
NzkiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=--b2a09d4327f903448d3ddfd252fee1ed9fa63f65
Parameters: {"action"=>"destroy", "id"=>"35", "controller"=>"tasks"}
Task Load (0.000286) SELECT * FROM "tasks" WHERE ("tasks"."id" = 35)
Task Destroy (0.000319) DELETE FROM "tasks"
WHERE "id" = 35
Completed in 0.00930 (107 reqs/sec) | Rendering: 0.00015 (1%) | DB: 0.00061 (6%) | 200 OK [http://localhost:3000/tasks/35]
When I switch on emulateUncommonMethods to true the client does a POST with _method=delete, and then it does complain about an invalid authenticity token (it's missing of course). The controller I use is just a simple scaffolded one.
Comments and changes to this ticket
-
Lawrence Pit August 11th, 2008 @ 03:23 AM
Pls delete this ticket.. there was a misbehaving proxy server in between.
-
Joshua Peek November 22nd, 2008 @ 07:37 PM
- → State changed from “new” to “invalid”
Please Login or create a free account to add a new comment.
You can update this ticket by sending an email to from your email client. (help)
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Source available from github
Repository is at http://github.com/rails/rails
Check out the development master (Edge Rails):
git clone git://github.com/rails/rails.git
Creating or reviewing a patch
See the contributor guide.
Creating a feature request
Please don't. If you want a new feature in Rails, you'll have to pull up your sleeves and get busy yourself. Or convince someone else to do it. See the contributor guide on how to get going. But posting them here is just going to lead to ticket root.
Creating a bug report
When creating a bug report, be sure to include as much relevant information as possible. Post the code sample that causes the problem. Preferably, alter the unit tests and show through either changed or added tests how the expected behavior is not occuring.
Security vulnerabilities should be reported via an email to security@rubyonrails.org, do not use trac for reporting security vulnerabilities. All content in trac is publicly available as soon as it is posted.
Then don't get your hopes up. Unless you have a "Code Red, Mission Critical, The World is Coming to an End" kinda bug, you're creating this ticket in the hope that others with the same problem will be able to collaborate with you on solving it. Do not expect that the ticket automatically will see any activity or that others will jump to fix it. Creating a ticket like this is mostly to help yourself start on the path of fixing the problem and for others to sign on to with a "I'm having this problem too"..
