Re: two security questions
This example worked here: require 'rubygems' require 'rack/csrf' require 'camping' require 'camping/session' Camping.goes :Hello module Hello use Rack::Csrf include Camping::Session end module Hello::Controllers class Index def get Rack::Csrf.csrf_token(@env) end end end Notice that you'll have to reverse the `use`-lines. Maybe we should file that as a bug? Since it works the other way both in Rackup files and Sinatra? // Magnus Holm On Wed, Aug 11, 2010 at 21:33, David Susco dsu...@gmail.com wrote: Ted, Do you use Camping::Session with Rack::Csrf? If so, how did you get it to work? Once I include Camping::Session the csrf_token changes every time I call the method. Can anyone explain what include Camping::Session is actually doing? Dave On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble t...@tedkimble.com wrote: For cross-site request forgery protection I've simply used the Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). The github page is pretty self explanatory. For Haml, you should just be able to set its :escape_html option to true and then %p= @something_nasty will be escaped by default. See: http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option for more info. Best, Ted On Mon, Aug 9, 2010 at 9:15 AM, David Susco dsu...@gmail.com wrote: Hey guys, What do people do to protect against cross-site request forgery? To mimic what rails does I was thinking of creating a unique key for each session, and then in my logged_in? helper checking if the key passed by the user matches the one I set in the session. On the second question, I'm using Tilt with Haml templates. Any idea how I can set Haml's :escape_html option so each template escapes all HTML within variables? -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: two security questions
Ted, Do you use Camping::Session with Rack::Csrf? If so, how did you get it to work? Once I include Camping::Session the csrf_token changes every time I call the method. Can anyone explain what include Camping::Session is actually doing? Dave On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble t...@tedkimble.com wrote: For cross-site request forgery protection I've simply used the Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). The github page is pretty self explanatory. For Haml, you should just be able to set its :escape_html option to true and then %p= @something_nasty will be escaped by default. See: http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option for more info. Best, Ted On Mon, Aug 9, 2010 at 9:15 AM, David Susco dsu...@gmail.com wrote: Hey guys, What do people do to protect against cross-site request forgery? To mimic what rails does I was thinking of creating a unique key for each session, and then in my logged_in? helper checking if the key passed by the user matches the one I set in the session. On the second question, I'm using Tilt with Haml templates. Any idea how I can set Haml's :escape_html option so each template escapes all HTML within variables? -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: two security questions
Dave, Unfortunately I've actually not yet used Rack::Csrf with Camping. In Sinatra, I just: use Rack::Session::Cookie, :secret = something use Rack::Csrf and it works fine. Looking at Camping's source for Camping::Session, it looks like it's basically doing the same (http://github.com/camping/camping/blob/master/lib/camping/session.rb#L32). The csrf_token shouldn't be changing every time, as Rack::Csrf is storing it in your session. Can you verify that rack.session is present in your session. Ted On Wed, Aug 11, 2010 at 2:33 PM, David Susco dsu...@gmail.com wrote: Ted, Do you use Camping::Session with Rack::Csrf? If so, how did you get it to work? Once I include Camping::Session the csrf_token changes every time I call the method. Can anyone explain what include Camping::Session is actually doing? Dave On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble t...@tedkimble.com wrote: For cross-site request forgery protection I've simply used the Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). The github page is pretty self explanatory. For Haml, you should just be able to set its :escape_html option to true and then %p= @something_nasty will be escaped by default. See: http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option for more info. Best, Ted On Mon, Aug 9, 2010 at 9:15 AM, David Susco dsu...@gmail.com wrote: Hey guys, What do people do to protect against cross-site request forgery? To mimic what rails does I was thinking of creating a unique key for each session, and then in my logged_in? helper checking if the key passed by the user matches the one I set in the session. On the second question, I'm using Tilt with Haml templates. Any idea how I can set Haml's :escape_html option so each template escapes all HTML within variables? -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: two security questions
Thanks, that did the trick. Got to comb through my templates now though :P. On Tue, Aug 10, 2010 at 4:01 PM, Magnus Holm judo...@gmail.com wrote: David, As far as I remember, this should work: module App set :haml, { :escape_html = true } end You set options (as specified in http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by: set :EXTENSION, { :a= true, :b = false } // Magnus Holm On Mon, Aug 9, 2010 at 19:08, David Susco dsu...@gmail.com wrote: Thanks I'll look into the middleware. I know that's how you escape HTML in Haml, what am asking though is how you set the :escape_html option when all you have is an instance of Tilt. Dave On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble t...@tedkimble.com wrote: For cross-site request forgery protection I've simply used the Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). The github page is pretty self explanatory. For Haml, you should just be able to set its :escape_html option to true and then %p= @something_nasty will be escaped by default. See: http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option for more info. Best, Ted On Mon, Aug 9, 2010 at 9:15 AM, David Susco dsu...@gmail.com wrote: Hey guys, What do people do to protect against cross-site request forgery? To mimic what rails does I was thinking of creating a unique key for each session, and then in my logged_in? helper checking if the key passed by the user matches the one I set in the session. On the second question, I'm using Tilt with Haml templates. Any idea how I can set Haml's :escape_html option so each template escapes all HTML within variables? -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: two security questions
Great; sorry for the delay, but I've been here in the last days :-) http://upload.wikimedia.org/wikipedia/commons/b/bd/Preikestolen_Norge.jpg // Magnus Holm On Tue, Aug 10, 2010 at 22:50, David Susco dsu...@gmail.com wrote: Thanks, that did the trick. Got to comb through my templates now though :P. On Tue, Aug 10, 2010 at 4:01 PM, Magnus Holm judo...@gmail.com wrote: David, As far as I remember, this should work: module App set :haml, { :escape_html = true } end You set options (as specified in http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by: set :EXTENSION, { :a= true, :b = false } // Magnus Holm On Mon, Aug 9, 2010 at 19:08, David Susco dsu...@gmail.com wrote: Thanks I'll look into the middleware. I know that's how you escape HTML in Haml, what am asking though is how you set the :escape_html option when all you have is an instance of Tilt. Dave On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble t...@tedkimble.com wrote: For cross-site request forgery protection I've simply used the Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). The github page is pretty self explanatory. For Haml, you should just be able to set its :escape_html option to true and then %p= @something_nasty will be escaped by default. See: http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option for more info. Best, Ted On Mon, Aug 9, 2010 at 9:15 AM, David Susco dsu...@gmail.com wrote: Hey guys, What do people do to protect against cross-site request forgery? To mimic what rails does I was thinking of creating a unique key for each session, and then in my logged_in? helper checking if the key passed by the user matches the one I set in the session. On the second question, I'm using Tilt with Haml templates. Any idea how I can set Haml's :escape_html option so each template escapes all HTML within variables? -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list -- Dave ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list