Prevent modification ("hacking") of hidden fields in form in rails3?_问答_开发者

Prevent modification ("hacking") of hidden fields in form in rails3?

开发者 https://www.devze.com 2023-04-06 22:09 出处：网络

So lets say I have a form for submitting a new post. The form has a hidden field which specify\'s the category_id. We are also on the show view for that very category.

So lets say I have a form for submitting a new post.

The form has a hidden field which specify's the category_id. We are also on the show view for that very category.

What I'm worried about, is that someone using something like fi开发者_如何学Pythonrebug, might just edit the category id in the code, and then submit the form - creating a post for a different category.

Obviously my form is more complicated and a different scenario - but the idea is the same. I also cannot define the category in the post's create controller, as the category will be different on each show view...

Any solutions?

EDIT:

Here is a better question - is it possible to grab the Category id in the create controller for the post, if its not in a hidden field?

Does your site have the concept of permissions / access control lists on the categories themselves? If the user would have access to the other category, then I'd say there's no worry here since there's nothing stopping them from going to that other category and doing the same.

If your categories are restricted in some manner, then I'd suggest nesting your Post under a category (nested resource routes) and do a before_filter to ensure you're granted access to the appropriate category.

config/routes.rb

resources :categories do 
  resources :posts
end

app/controllers/posts_controller

before_filter :ensure_category_access

def create
  @post = @category.posts.new(params[:post])
  ...
end

private
def ensure_category_access
   @category = Category.find(params[:category_id])
   # do whatever you need to do. if you don't have to validate access, then I'm not sure I'd worry about this.  
   # If the user wants to change their category in their post instead of 
   # going to the other category and posting there, I don't think I see a concern?
end

URL would look like

GET /categories/1/posts/new POST /categories/1/posts

pst is right- never trust the user. Double-check the value sent via the view in your controller and, if it does't match something valid, kick the user out (auto-logout) and send the admin an email. You may also want to lock the user's account if it keeps happening.

Never, ever trust the user, of course ;-)

Now, that being said, it is possible to with a very high degree of confidence rely on hidden fields for temporal storage/staging (although this can generally also be handled entirely on the server with the session as well): ASP.NET follows this model and it has proven to be very secure against tampering if used correctly -- so what's the secret?

Hash validation aka MAC (Message Authentication Code). The ASP.NET MAC and usage is discussed briefly this article. In short the MAC is a hash of the form data (built using a server -- and perhaps session -- secret key) which is embedded in the form as a hidden field. When the form submission occurs this MAC is re-calculated from the data and then compared with the original MAC. Because the secrets are known only to the server it is not (realistically) possible for a client to generate a valid MAC from the data itself.

However, I do not use RoR or know what modules, if any, may implement security like this. I do hope that someone can provide more insight (in their own answer ;-) if such solutions exist, because it is a very powerful construct and easily allows safe per-form data association and validation.

Happy coding.