This project is archived and is in readonly mode.

#797 ✓invalid
Lawrence Pit

Ajax DELETE accepted without authenticity_token

Reported by Lawrence Pit | August 11th, 2008 @ 02:34 AM | in 2.x

Using prototype with emulateUncommonMethods=false (option of prototype's Ajax.Request), sending an Ajax DELETE request without including an authenticity_token is accepted by rails, and deletes the resource.

Is this a security risk cq a bug?

For example:

The client side (in firebug) reports this:

@@@ruby DELETE http://localhost:3000/tasks/35

Request Headers: Host localhost User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/2008070206 Firefox/3.0.1 Accept application/json, / Accept-Language en-us,en;q=0.5 Accept-Encoding gzip,deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive 300 Connection keep-alive X-Requested-With XMLHttpRequest X-Prototype-Version Referer http://localhost/tasks Content-Length 0 Content-Type application/xml; charset=UTF-8 Cookie _server_session=BAh7BzoMY3NyZl9pZCIlMWMwMWM0NTkxMWRhMDlmYzEyMzUyNTczMjY3OTUx%0ANzkiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%0Ac2h7AAY6CkB1c2VkewA%3D--b2a09d4327f903448d3ddfd252fee1ed9fa63f65

Response Headers: Date Mon, 11 Aug 2008 01:26:45 GMT Server Mongrel 1.1.5 Status 200 OK X-Runtime 0.00930 Etag "7215ee9c7d9dc229d2921a40e899ec5f" Cache-Control private, max-age=0, must-revalidate Content-Type application/json; charset=utf-8 Content-Length 1 Keep-Alive timeout=5, max=58 Connection Keep-Alive

The server side reports this:

Processing TasksController#destroy (for at 2008-08-11 11:26:45) [DELETE]
  Session ID: BAh7BzoMY3NyZl9pZCIlMWMwMWM0NTkxMWRhMDlmYzEyMzUyNTczMjY3OTUx
  Parameters: {"action"=>"destroy", "id"=>"35", "controller"=>"tasks"}
  Task Load (0.000286)   SELECT * FROM "tasks" WHERE ("tasks"."id" = 35)
  Task Destroy (0.000319)    DELETE FROM "tasks"
 WHERE "id" = 35

Completed in 0.00930 (107 reqs/sec) | Rendering: 0.00015 (1%) | DB: 0.00061 (6%) | 200 OK [http://localhost:3000/tasks/35]

When I switch on emulateUncommonMethods to true the client does a POST with _method=delete, and then it does complain about an invalid authenticity token (it's missing of course). The controller I use is just a simple scaffolded one.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

People watching this ticket