gpt4 book ai didi

javascript - 补丁 Rails 3 以修复 CSRF 保护漏洞

转载 作者:太空宇宙 更新时间:2023-11-03 16:23:51 24 4
gpt4 key购买 nike

我目前正在做一个使用 Rails 3.2 的大项目,没有机会迁移到 Rails 4。据我所知,当你有 GET 请求的 JS View 时,Rails 3 有 CSRF 保护漏洞。在 Rails 4 中,这个 PR 修复了它。

https://github.com/rails/rails/pull/13345/files

有谁知道如何修补 Rails 3 以修复此漏洞?

最佳答案

您可以对 Rails 3.2 ActionController::RequestForgeryProtection 模块应用完全相同的更改。

# config/initializers/cross_origin_script_tag_protection.rb

module ActionController
class InvalidCrossOriginRequest < ActionControllerError
end

module RequestForgeryProtection
module ClassMethods
def protect_from_forgery(options = {})
self.request_forgery_protection_token ||= :authenticity_token
prepend_before_filter :verify_authenticity_token, options
append_after_action :verify_same_origin_request
end
end

protected

def verify_authenticity_token
@marked_for_same_origin_verification = true

unless verified_request?
logger.warn "WARNING: Can't verify CSRF token authenticity" if logger
handle_unverified_request
end
end

CROSS_ORIGIN_JAVASCRIPT_WARNING = "Security warning: an embedded " \
"<script> tag on another site requested protected JavaScript. " \
"If you know what you're doing, go ahead and disable forgery " \
"protection on this action to permit cross-origin JavaScript embedding."
private_constant :CROSS_ORIGIN_JAVASCRIPT_WARNING

# If `verify_authenticity_token` was run (indicating that we have
# forgery protection enabled for this request) then also verify that
# we aren't serving an unauthorized cross-origin response.
def verify_same_origin_request
if marked_for_same_origin_verification? && non_xhr_javascript_response?
logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
end
end

# If the `verify_authenticity_token` before_action ran, verify that
# JavaScript responses are only served to same-origin GET requests.
def marked_for_same_origin_verification?
defined? @marked_for_same_origin_verification
end

# Check for cross-origin JavaScript responses.
def non_xhr_javascript_response?
content_type =~ %r(\Atext/javascript) && !request.xhr?
end
end
end

请告诉我它是否适合您。

关于javascript - 补丁 Rails 3 以修复 CSRF 保护漏洞,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28816617/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com