Hi rortalk,
I've been looking at my under development site's exposure to csrf attacks. While it is a good thing that rails provides request forgery protection for not-gets, it seems to me that for it to actually be meaningful you need to take the additional step of restricting the methods of your actions.
for example, say i have a destroy method in a controller of a restful app. by convention i invoke this using DELETE, and if i do so, request forgery protection applies. however, by default it is also possible to invoke it using GET, unless i explicitly do something like verify :method => :delete, :only => [ :destroy ]
this is potentially very bad .. as an example, attackers could use something cheesy like a lot of
<img src="http://mysite.com/valuabledocuments/destroy/1">
for 1....99999
on any page to have visiting users destroy all their valuable documents. obviously similar problems apply in terms of the ability to invoke update and create using GET without an explicit verify :method.
it seems to me like it would be sensible to provide an option (possibly a default) to verify that restful resources are accessed using only the correct http verbs.
one alternative is to have in the ApplicationController:
verify :method => :post, :only => [ :post ] verify :method => :put, :only => [ :update ] verify :method => :delete, :only => [ :destroy ]
which seems to work ok .. although it breaks the tests for restful_authentication, apparently (yet to look into it)
thoughts?
