This project is archived and is in readonly mode.
Ajax DELETE accepted without authenticity_token
Reported by Lawrence Pit | August 11th, 2008 @ 02:34 AM | in 2.x
Using prototype 1.6.0.2 with emulateUncommonMethods=false (option of prototype's Ajax.Request), sending an Ajax DELETE request without including an authenticity_token is accepted by rails, and deletes the resource.
Is this a security risk cq a bug?
For example:
The client side (in firebug) reports this:
@@@ruby DELETE http://localhost:3000/tasks/35
Request Headers: Host localhost User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1 Accept application/json, / Accept-Language en-us,en;q=0.5 Accept-Encoding gzip,deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive 300 Connection keep-alive X-Requested-With XMLHttpRequest X-Prototype-Version 1.6.0.2 Referer http://localhost/tasks Content-Length 0 Content-Type application/xml; charset=UTF-8 Cookie _server_session=BAh7BzoMY3NyZl9pZCIlMWMwMWM0NTkxMWRhMDlmYzEyMzUyNTczMjY3OTUx%0ANzkiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%0Ac2h7AAY6CkB1c2VkewA%3D--b2a09d4327f903448d3ddfd252fee1ed9fa63f65
Response Headers: Date Mon, 11 Aug 2008 01:26:45 GMT Server Mongrel 1.1.5 Status 200 OK X-Runtime 0.00930 Etag "7215ee9c7d9dc229d2921a40e899ec5f" Cache-Control private, max-age=0, must-revalidate Content-Type application/json; charset=utf-8 Content-Length 1 Keep-Alive timeout=5, max=58 Connection Keep-Alive
The server side reports this:
@@@ruby
Processing TasksController#destroy (for 127.0.0.1 at 2008-08-11 11:26:45) [DELETE]
Session ID: BAh7BzoMY3NyZl9pZCIlMWMwMWM0NTkxMWRhMDlmYzEyMzUyNTczMjY3OTUx
NzkiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh
c2h7AAY6CkB1c2VkewA=--b2a09d4327f903448d3ddfd252fee1ed9fa63f65
Parameters: {"action"=>"destroy", "id"=>"35", "controller"=>"tasks"}
Task Load (0.000286) SELECT * FROM "tasks" WHERE ("tasks"."id" = 35)
Task Destroy (0.000319) DELETE FROM "tasks"
WHERE "id" = 35
Completed in 0.00930 (107 reqs/sec) | Rendering: 0.00015 (1%) | DB: 0.00061 (6%) | 200 OK [http://localhost:3000/tasks/35]
When I switch on emulateUncommonMethods to true the client does a POST with _method=delete, and then it does complain about an invalid authenticity token (it's missing of course). The controller I use is just a simple scaffolded one.
Comments and changes to this ticket
-
Lawrence Pit August 11th, 2008 @ 03:23 AM
Pls delete this ticket.. there was a misbehaving proxy server in between.
-
josh November 22nd, 2008 @ 07:37 PM
- State changed from “new” to “invalid”
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
josh