Hi all, My team and I are finding ourselves a little in the dark about the "CSRF Protection Bypass in Ruby on Rails" vulnerability that was announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
1. Where is the complete Advisory? The Impact section is very unclear. Looking at the comment in the 2.3 patch mentions "Flash animations and Java applets" - does the whole thing deserve a bit more explaining? 2. Lines 40-48 in the 2.3 patch changes the CSRF protection to only allow get requests and requests with the correct form authenticity token through - is this not going to break stateless web service and ActiveResource post requests that does not maintain state on the client side? - line 228 in the 2.3 patch tests that xml requests should be validated for authenticity token. This is going to break quite a few things. Should Rails by default (still) support authenticated stateless requests (for the sake of web services)? Or should we handle this by overriding handle_unverified_request (line 31 patch 2.3)? What am I missing? Thanks Siebert -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
