Re: two security questions

2010-08-12 Thread Magnus Holm 
This example worked here:

require 'rubygems'
require 'rack/csrf'
require 'camping'
require 'camping/session'

Camping.goes :Hello

module Hello
  use Rack::Csrf
  include Camping::Session
end

module Hello::Controllers
  class Index
def get
  Rack::Csrf.csrf_token(@env)
end
  end
end

Notice that you'll have to reverse the `use`-lines. Maybe we should
file that as a bug? Since it works the other way both in Rackup files
and Sinatra?

// Magnus Holm



On Wed, Aug 11, 2010 at 21:33, David Susco dsu...@gmail.com wrote:
 Ted,

 Do you use Camping::Session with Rack::Csrf? If so, how did you get it
 to work? Once I include Camping::Session the csrf_token changes every
 time I call the method.

 Can anyone explain what include Camping::Session is actually doing?

 Dave

 On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble t...@tedkimble.com wrote:
 For cross-site request forgery protection I've simply used the
 Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf).
 The github page is pretty self explanatory.

 For Haml, you should just be able to set its :escape_html option to
 true and then

    %p= @something_nasty

 will be escaped by default. See:

 http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option

 for more info.

 Best,
 Ted

 On Mon, Aug 9, 2010 at 9:15 AM, David Susco dsu...@gmail.com wrote:
 Hey guys,

 What do people do to protect against cross-site request forgery? To
 mimic what rails does I was thinking of creating a unique key for each
 session, and then in my logged_in? helper checking if the key passed
 by the user matches the one I set in the session.

 On the second question, I'm using Tilt with Haml templates. Any idea
 how I can set Haml's :escape_html option so each template escapes all
 HTML within variables?

 --
 Dave
 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list

 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list




 --
 Dave
 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list

___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list

Re: two security questions

2010-08-11 Thread David Susco 
Ted,

Do you use Camping::Session with Rack::Csrf? If so, how did you get it
to work? Once I include Camping::Session the csrf_token changes every
time I call the method.

Can anyone explain what include Camping::Session is actually doing?

Dave

On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble t...@tedkimble.com wrote:
 For cross-site request forgery protection I've simply used the
 Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf).
 The github page is pretty self explanatory.

 For Haml, you should just be able to set its :escape_html option to
 true and then

    %p= @something_nasty

 will be escaped by default. See:

 http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option

 for more info.

 Best,
 Ted

 On Mon, Aug 9, 2010 at 9:15 AM, David Susco dsu...@gmail.com wrote:
 Hey guys,

 What do people do to protect against cross-site request forgery? To
 mimic what rails does I was thinking of creating a unique key for each
 session, and then in my logged_in? helper checking if the key passed
 by the user matches the one I set in the session.

 On the second question, I'm using Tilt with Haml templates. Any idea
 how I can set Haml's :escape_html option so each template escapes all
 HTML within variables?

 --
 Dave
 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list

 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list




-- 
Dave
___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list

Re: two security questions

2010-08-11 Thread Ted Kimble 
Dave,

Unfortunately I've actually not yet used Rack::Csrf with Camping.

In Sinatra, I just:

  use Rack::Session::Cookie, :secret = something
  use Rack::Csrf

and it works fine. Looking at Camping's source for Camping::Session,
it looks like it's basically doing the same
(http://github.com/camping/camping/blob/master/lib/camping/session.rb#L32).

The csrf_token shouldn't be changing every time, as Rack::Csrf is
storing it in your session. Can you verify that rack.session is
present in your session.

Ted

On Wed, Aug 11, 2010 at 2:33 PM, David Susco dsu...@gmail.com wrote:
 Ted,

 Do you use Camping::Session with Rack::Csrf? If so, how did you get it
 to work? Once I include Camping::Session the csrf_token changes every
 time I call the method.

 Can anyone explain what include Camping::Session is actually doing?

 Dave

 On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble t...@tedkimble.com wrote:
 For cross-site request forgery protection I've simply used the
 Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf).
 The github page is pretty self explanatory.

 For Haml, you should just be able to set its :escape_html option to
 true and then

    %p= @something_nasty

 will be escaped by default. See:

 http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option

 for more info.

 Best,
 Ted

 On Mon, Aug 9, 2010 at 9:15 AM, David Susco dsu...@gmail.com wrote:
 Hey guys,

 What do people do to protect against cross-site request forgery? To
 mimic what rails does I was thinking of creating a unique key for each
 session, and then in my logged_in? helper checking if the key passed
 by the user matches the one I set in the session.

 On the second question, I'm using Tilt with Haml templates. Any idea
 how I can set Haml's :escape_html option so each template escapes all
 HTML within variables?

 --
 Dave
 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list

 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list




 --
 Dave
 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list

___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list

Re: two security questions

2010-08-10 Thread David Susco 
Thanks, that did the trick. Got to comb through my templates now though :P.

On Tue, Aug 10, 2010 at 4:01 PM, Magnus Holm judo...@gmail.com wrote:
 David,

 As far as I remember, this should work:

  module App
    set :haml, { :escape_html = true }
  end

 You set options (as specified in
 http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by:

  set :EXTENSION, { :a= true, :b = false }

 // Magnus Holm



 On Mon, Aug 9, 2010 at 19:08, David Susco dsu...@gmail.com wrote:
 Thanks I'll look into the middleware.

 I know that's how you escape HTML in Haml, what am asking though is
 how you set the :escape_html option when all you have is an instance
 of Tilt.

 Dave

 On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble t...@tedkimble.com wrote:
 For cross-site request forgery protection I've simply used the
 Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf).
 The github page is pretty self explanatory.

 For Haml, you should just be able to set its :escape_html option to
 true and then

    %p= @something_nasty

 will be escaped by default. See:

 http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option

 for more info.

 Best,
 Ted

 On Mon, Aug 9, 2010 at 9:15 AM, David Susco dsu...@gmail.com wrote:
 Hey guys,

 What do people do to protect against cross-site request forgery? To
 mimic what rails does I was thinking of creating a unique key for each
 session, and then in my logged_in? helper checking if the key passed
 by the user matches the one I set in the session.

 On the second question, I'm using Tilt with Haml templates. Any idea
 how I can set Haml's :escape_html option so each template escapes all
 HTML within variables?

 --
 Dave
 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list

 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list




 --
 Dave
 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list

 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list



-- 
Dave
___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list

Re: two security questions

2010-08-10 Thread Magnus Holm 
Great; sorry for the delay, but I've been here in the last days :-)

http://upload.wikimedia.org/wikipedia/commons/b/bd/Preikestolen_Norge.jpg

// Magnus Holm



On Tue, Aug 10, 2010 at 22:50, David Susco dsu...@gmail.com wrote:
 Thanks, that did the trick. Got to comb through my templates now though :P.

 On Tue, Aug 10, 2010 at 4:01 PM, Magnus Holm judo...@gmail.com wrote:
 David,

 As far as I remember, this should work:

  module App
    set :haml, { :escape_html = true }
  end

 You set options (as specified in
 http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by:

  set :EXTENSION, { :a= true, :b = false }

 // Magnus Holm



 On Mon, Aug 9, 2010 at 19:08, David Susco dsu...@gmail.com wrote:
 Thanks I'll look into the middleware.

 I know that's how you escape HTML in Haml, what am asking though is
 how you set the :escape_html option when all you have is an instance
 of Tilt.

 Dave

 On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble t...@tedkimble.com wrote:
 For cross-site request forgery protection I've simply used the
 Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf).
 The github page is pretty self explanatory.

 For Haml, you should just be able to set its :escape_html option to
 true and then

    %p= @something_nasty

 will be escaped by default. See:

 http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option

 for more info.

 Best,
 Ted

 On Mon, Aug 9, 2010 at 9:15 AM, David Susco dsu...@gmail.com wrote:
 Hey guys,

 What do people do to protect against cross-site request forgery? To
 mimic what rails does I was thinking of creating a unique key for each
 session, and then in my logged_in? helper checking if the key passed
 by the user matches the one I set in the session.

 On the second question, I'm using Tilt with Haml templates. Any idea
 how I can set Haml's :escape_html option so each template escapes all
 HTML within variables?

 --
 Dave
 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list

 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list




 --
 Dave
 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list

 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list



 --
 Dave
 ___
 Camping-list mailing list
 Camping-list@rubyforge.org
 http://rubyforge.org/mailman/listinfo/camping-list

___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list