Today there was a posting by Stefano di Paola to the Web Security Mailing List,
http://www.webappsec.org/lists/websecurity about "HTTP Parameter Pollution", with a reference to his and Luca Carettoni presentation at http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf The point is that different web servers/backends behave differently when handling requests such as GET /foo?par1=val1&par1=val2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */* POST /foo HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */* Content-Length: 19 par1=val1&par1=val2c The point is that the same key (here par1) occurs with two or more values. They document both server and client side attacks based on this. On page 9 the presentation lists many http servers/backends, but not Rails (instead, the Linksys Wireless-G PTZ Internet Camera is included:-). I believe Rails falls under "Last occurrence", and I think that works out well. In particular, I see Rails handling requests such as http://localhost:3000/login?controller=other_controller&action=other_action&action=another_action just fine -- the controller/action one expects is invoked (here, login/index). However I couldn't find the behaviour with respect to such multiple key-value assignments, or attempts at overriding the "Rails special" controller/action keys, covered in the actionpack unit tests. Can you make out any security problems? Stephan -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
