On 29 Mar 2010, at 01:06, Bill Moseley wrote:
I do this -- every POST must include token, and the token can only
be used once. That means the the form must be fetched before bing
posted (to generate the token).
Have anything generic you'd care to share? :)
However this would obviously not catch forms generated purely from
Javascript (and a number of other cases), and so I'm somewhat
doubtful of its value in more complex applications. I can certainly
remember the stuff which tries to achieve this that is baked into
Rails making me scream :)
I'm not clear how javascript is an issue here, unless the attacker
has injected javascript into my site.
The issue is that if you're generating a form in javascript, and
submitting it in javascript, then something finding forms in the page
output (and adding a token automatically), which was what I initially
suggested - would fail to find the form, and ergo you'd have an issue :)
(i.e. it couldn't 'just work automatically' in that case without the
application collaborating in some manor).
Cheers
t0m
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
