- 浏览: 2072329 次
- 性别:
- 来自: NYC
文章分类
- 全部博客 (628)
- Linux (53)
- RubyOnRails (294)
- HTML (8)
- 手册指南 (5)
- Mysql (14)
- PHP (3)
- Rails 汇总 (13)
- 读书 (22)
- plugin 插件介绍与应用 (12)
- Flex (2)
- Ruby技巧 (7)
- Gem包介绍 (1)
- javascript Jquery ext prototype (21)
- IT生活 (6)
- 小工具 (4)
- PHP 部署 drupal (1)
- javascript Jquery sort plugin 插件 (2)
- iphone siri ios (1)
- Ruby On Rails (106)
- 编程概念 (1)
- Unit Test (4)
- Ruby 1.9 (24)
- rake (1)
- Postgresql (6)
- ruby (5)
- respond_to? (1)
- method_missing (1)
- git (8)
- Rspec (1)
- ios (1)
- jquery (1)
- Sinatra (1)
最新评论
-
dadadada2x:
user模型里加上 protected def email ...
流行的权限管理 gem devise的定制 -
Sev7en_jun:
shrekting 写道var pattern = /^(0| ...
强悍的ip格式 正则表达式验证 -
jiasanshou:
好文章!!!
RPM包rpmbuild SPEC文件深度说明 -
寻得乐中乐:
link_to其实就是个a标签,使用css控制,添加一个参数: ...
Rails在link_to中加参数 -
aiafei0001:
完全看不懂,不知所然.能表达清楚一点?
"$ is not defined" 的问题怎么办
A security problem has been reported with the digest authentication code in Ruby on Rails. This vulnerability can allow users to bypass your password protection. This vulnerability has been publicly disclosed on several websites, users are advised to take the mitigating steps described below immediately.
The issue comes from the handling of the block passed to authenticate_or_request_with_http_digest. This block must return the user’s password in the clear, or a sha1 hash of the user’s password. Unfortunately the documentation was unclear on this and the examples cited would return nil if the user was not found. The correct behaviour if the user doesn’t exist is to return false.
If the return value was nil, rails proceeded to verify this value against the provided password. Because of this an attacker can provide an invalid username and no password and authentication will succeed.
Fixed Versions
We have altered the behaviour of the relevant code to make nil an authentication failure. This fix has been pushed to 2-3-stable and will be present in 2.3.3 due to be released in the next few days. All versions of edge rails after commit 1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0 contain the fix.
Steps to Protect your application.
Users can protect themselves without upgrading by simply ensuring that their authentication blocks never return nil. To take an example from the documentation:
Disclosure Notes
Due to communication difficulties and a mis-understanding between the reporter and the security team. This vulnerability has been publicly disclosed on several websites, users are advised to update their applications immediately. Steps are being taken to ensure that the security email is more reliable in the future. We regret the nature of this disclosure and will endeavor to ensure it doesn’t happen again in the future.
Nate Kontny of Inkling Markets has found a nasty security hole in the code example provided in both the documentation and blog post for the Digest Authentication functionality in Rails 2.3. If you've built your routine in a similar way to that as shown in the Rails documentation or blog post, you might be open to security issues.
Here's the code example in question:
Notice that authenticate uses the Users hash to authenticate the HTTP Digest Auth request? When you call hashes with non-existing keys, nil is returned. Luckily, Rails' digest authentication routines consider a response of nil as an authentication failure but if the password actually supplied is blank (ending up as nil), things don't quite work out as intended since nil == nil and you get right through the authentication!
Nate has written up a ton of info about this, including a test and a patch, and it's a must-read unless you're totally confident you have this covered already.
Worryingly, Nate claims that he has had little luck in raising this vulnerability with the Rails core team:
I've attempted to contact this security list and a couple members on the core team through their individual email accounts over a week ago. I've only received one response last Thursday that someone would look into it, but the issue seemed to die there.
Now that enough time has been given for the security list to look into the problem (and hopefully not ignore it), the best practice I thought would be to tell as many people as possible about it so the fix can be applied and publicized. I felt I'd get a lot bigger audience here at Hacker news than the rails bug tracker. The bigger the audience the more people that can get their Rails 2.3 instances fixed if they are effected and avoid a problem. I was also planning on posting it there, but feel free to do it as well.
The issue comes from the handling of the block passed to authenticate_or_request_with_http_digest. This block must return the user’s password in the clear, or a sha1 hash of the user’s password. Unfortunately the documentation was unclear on this and the examples cited would return nil if the user was not found. The correct behaviour if the user doesn’t exist is to return false.
If the return value was nil, rails proceeded to verify this value against the provided password. Because of this an attacker can provide an invalid username and no password and authentication will succeed.
Fixed Versions
We have altered the behaviour of the relevant code to make nil an authentication failure. This fix has been pushed to 2-3-stable and will be present in 2.3.3 due to be released in the next few days. All versions of edge rails after commit 1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0 contain the fix.
Steps to Protect your application.
Users can protect themselves without upgrading by simply ensuring that their authentication blocks never return nil. To take an example from the documentation:
authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] end Should instead be something like: authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] || false end
Disclosure Notes
Due to communication difficulties and a mis-understanding between the reporter and the security team. This vulnerability has been publicly disclosed on several websites, users are advised to update their applications immediately. Steps are being taken to ensure that the security email is more reliable in the future. We regret the nature of this disclosure and will endeavor to ensure it doesn’t happen again in the future.
Nate Kontny of Inkling Markets has found a nasty security hole in the code example provided in both the documentation and blog post for the Digest Authentication functionality in Rails 2.3. If you've built your routine in a similar way to that as shown in the Rails documentation or blog post, you might be open to security issues.
Here's the code example in question:
class PostsController < ApplicationController Users = {"dhh" => "secret"} before_filter :authenticate def index render :text => "You needed a password to see this…" end private def authenticate realm = "Application" authenticate_or_request_with_http_digest(realm) do |name| Users[name] end end end
Notice that authenticate uses the Users hash to authenticate the HTTP Digest Auth request? When you call hashes with non-existing keys, nil is returned. Luckily, Rails' digest authentication routines consider a response of nil as an authentication failure but if the password actually supplied is blank (ending up as nil), things don't quite work out as intended since nil == nil and you get right through the authentication!
Nate has written up a ton of info about this, including a test and a patch, and it's a must-read unless you're totally confident you have this covered already.
Worryingly, Nate claims that he has had little luck in raising this vulnerability with the Rails core team:
I've attempted to contact this security list and a couple members on the core team through their individual email accounts over a week ago. I've only received one response last Thursday that someone would look into it, but the issue seemed to die there.
Now that enough time has been given for the security list to look into the problem (and hopefully not ignore it), the best practice I thought would be to tell as many people as possible about it so the fix can be applied and publicized. I felt I'd get a lot bigger audience here at Hacker news than the rails bug tracker. The bigger the audience the more people that can get their Rails 2.3 instances fixed if they are effected and avoid a problem. I was also planning on posting it there, but feel free to do it as well.
发表评论
-
Destroying a Postgres DB on Heroku
2013-04-24 10:58 927heroku pg:reset DATABASE -
VIM ctags setup ack
2012-04-17 22:13 3255reference ctags --extra=+f --e ... -
alias_method_chain方法在3.1以后的替代使用方式
2012-02-04 02:14 3287alias_method_chain() 是rails里的一个 ... -
一些快速解决的问题
2012-01-19 12:35 1470问题如下: 引用Could not open library ... -
API service 安全问题
2011-12-04 08:47 1379这是一个长期关注的课题 rest api Service的 ... -
Module方法调用好不好
2011-11-20 01:58 1344以前说,用module给class加singleton方法,和 ... -
一个ajax和rails交互的例子
2011-11-19 01:53 1903首先,这里用了一个,query信息解析的包,如下 https: ... -
Rails 返回hash给javascript
2011-11-19 01:43 2272这是一个特别的,不太正统的需求, 因为,大部分时候,ajax的 ... -
关于Rubymine
2011-11-18 23:21 2262开个帖子收集有关使用上的问题 前一段时间,看到半价就买了。想 ... -
ruby中和javascript中,动态方法的创建
2011-11-18 21:01 1234class Klass def hello(*args) ... -
textmate快捷键 汇总
2011-11-16 07:20 8138TextMate 列编辑模式 按住 Alt 键,用鼠标选择要 ... -
Ruby面试系列六,面试继续面试
2011-11-15 05:55 2018刚才受到打击了,充分报漏了自己基础不扎实,不肯向虎炮等兄弟学习 ... -
说说sharding
2011-11-13 00:53 1481这个东西一面试就有人 ... -
rails面试碎碎念
2011-11-12 23:51 1939面试继续面试 又有问ru ... -
最通常的git push reject 和non-fast forward是因为
2011-11-12 23:29 17209git push To git@github.com:use ... -
Rails 自身的many to many关系 self has_many
2011-11-12 01:43 2731简单点的 #注意外键在person上people: id ... -
Rails 3下的 in place editor edit in place
2011-11-12 01:20 945第一个版本 http://code.google.com/p ... -
Heroku 的诡异问题集合
2011-11-11 07:22 1692开个Post记录,在用heroku过程中的一些诡异问题和要注意 ... -
SCSS 和 SASS 和 HAML 和CoffeeScript
2011-11-07 07:52 12952Asset Pipeline 提供了内建 ... -
Invalid gemspec because of the date format in specification
2011-11-07 02:14 2115又是这个date format的错误。 上次出错忘了,记录下 ...
相关推荐
rails 2.3 chm文档 官方最新版
rails guides的CHM版本,这个向导的版本是2.3
在实际项目中,理解并正确使用http_authentication和restful-authentication对于提升Rails应用的安全性和用户体验至关重要。开发者应当根据项目需求和安全性考虑来选择合适的认证方式。在学习和应用这些知识时,参考...
Railsbrain是一个专注于Rails框架的在线资源平台,而这个“railsbrain网站的rails2.3文档(bug修复版)”显然是一份针对Rails 2.3版本的更新文档,旨在修复用户在浏览和交互过程中遇到的问题。Rails是Ruby编程语言的...
Ruby on Rails Guide:是rails官方教程,本人为了大家学习查阅的方便,制成chm格式。就如同java doc的chm格式一样方便。
Rails是一个基于Ruby语言的开源Web应用程序框架,它遵循模型-视图-控制器(MVC)架构模式,旨在提高开发效率和代码的可读性。 在这个API文档中,你可以找到关于以下关键知识点的详细信息: 1. **Ruby语法基础**:...
在Rails 3.2中,控制器性能得到了优化,比如加入了Strong Parameters功能,增强了参数过滤和验证的安全性。 2. **Action View**:视图层负责渲染HTML和其他格式的输出。Rails 3.2提供了更灵活的模板引擎选择,如ERB...
描述中的 "ruby and rails 的框架rails-2.3.3.zip" 提到的是 Rails 的另一个版本 2.3.3,尽管与标题中的版本号不完全匹配,但我们可以推断这是关于 Rails 2.3.x 系列的讨论。这个压缩包很可能包含了 Rails 框架的源...
原文在此http://guides.ruby-china.org/index.html 我只是把html拷贝到word里面罢了 然而只拷贝到了Rails 安全指南这一章,后面的太多就没拷贝了 初学者只需打印到368页即可
**中文版Rails教程** Rails,全称为Ruby on Rails,是一个基于Ruby编程语言的开源Web应用程序框架,遵循MVC(模型-视图-控制器)架构模式。Rails以其“约定优于配置”(Convention over Configuration)和“Don't ...
Brakeman是一个静态分析工具,可检查Ruby on Rails应用程序中的安全漏洞。 安装 使用RubyGems: gem install brakeman 使用Bundler: group :development do gem 'brakeman' end 使用Docker: docker pull ...
### Rails 101 入门电子书知识点详解 #### 一、简介 《Rails 101 入门电子书》是一本非常适合初学者直接入门的书籍,它由xdite编写并出版于2014年6月10日。本书主要针对的是希望学习Ruby on Rails框架的读者,特别...
- **Authentication** 和 **Authorization**:身份验证和授权机制,确保用户安全。 - **Asset Pipeline**:处理和优化应用的静态资源,如JS、CSS的合并和压缩。 学习Rails项目起步,你需要熟悉这些核心概念,并...
Ruby on Rails,通常简称为Rails,是一个基于Ruby编程语言的开源Web应用框架,遵循MVC(Model-View-Controller)架构模式。这个“Rails项目源代码”是一个使用Rails构建的图片分享网站的完整源代码,它揭示了如何...
此外,书中还介绍了一些Rails中的高级概念,如Strong Parameters(强参数),它在Rails 4.0版本中引入,用于解决之前版本中的参数篡改问题,从而帮助开发者安全地处理外部提交的数据。 通过一系列的教学内容,包括...
- **社区资源**:加入Rails官方论坛、Stack Overflow等社区获取帮助和支持。 #### 十一、文档编写技巧 - **重要性**:良好的文档不仅有助于他人理解你的代码,还能提高团队协作效率。 - **实践**:编写清晰、准确...
Brakeman 是一个用来分析基于 Ruby on Rails 框架开发的应用程序的静态分析安全漏洞扫描器。 标签:Brakeman