On May 22, 2008, at 10:46 PM, Bluebie, Jenna wrote:
We've just come across an issue for consideration. I am avoiding
some words which would allow people to find this message in an
internet search who have questionable intentions, but wish to
communicate a strong sense of caution. Consider someone who adds
extra methods to their controller which they use in their main get/
post methods to do things or to get secret data. Consider now, this
http request:
FOO / HTTP/1.1
And consider that camping allows methods to return a string and have
that returned as a body. This could make for a lovely convenient
form of RPC, but to those unaware, it seems there could be negative
results. Aria has discovered with some testing that it is also
possible to access helper methods remotely in this way, which is
especially worth consideration as some of us use helper methods to
do important things, and do not expect them to be directly
accessible to the outside world.
In my own app, I will be using a service to filter all requests
which don't use a standard http method. I'd like to suggest that in
the next release of camping, we could do something like return
unless ['GET', 'POST', 'DELETE', 'HEAD'].include?(request_method),
perhaps in the run method of camping. Or maybe we could raise an
error. I'd also appreciate it if this update were deployed to
rubygems servers without haste. I'll be sure to post the service I
write to work around this issue just as soon as I'm done writing it.
return unless ['GET', 'POST', 'DELETE', 'HEAD'].include?
(ControllerClass.instance_methods(false)) -- only use methods defined
directly in the controller?
—
Thoughtful Pony
_______________________________________________
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list
Aria Stewart
[EMAIL PROTECTED]
_______________________________________________
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list