Prevent CSRF

Posted by: Shugo Maeda Sat, 06 Aug 2005 13:13:00 GMT

I could not find any CSRF protection support in Rails 0.13.1. So I did it myself.

At first, I changed ApplicationController and ApplicationHelper.

app/controller/application.rb:

class ApplicationController < ActionController::Base
  private

  def validate_session
    if @params[:session_id_validation] == @session.session_id
      return true
    else
      render(:text => SESSION_VALIDATION_FAILED_HTML,
             :status => "403 Forbidden")
      return false 
    end
  end

  SESSION_VALIDATION_FAILED_HTML = <<EOF
<html>
  <head>
    <title>403 Forbidden</title>
  </head>
  <body>
    <h1>403 Forbidden</h1>
    <p>
      Session validation failed.
    </p>
  </body>
</html>
EOF
end

app/helpers/application_helper.rb:

module ApplicationHelper
  def secure_form_tag(*args)
    return start_form_tag(*args) + "\n" +
      hidden_field_tag("session_id_validation", @session.session_id)
  end
end

Then replaced start_form_tag by secure_form_tag.

app/views/<controller_name>/edit.rhtml:

<h1>Edit</h1>

<%= secure_form_tag :action => 'update', :id => @model_name %>
  <%= render_partial 'form' %>
  <%= submit_tag 'Edit' %>
<%= end_form_tag %>

<%= link_to 'Show', :action => 'show', :id => @model_name %> |
<%= link_to 'Back', :action => 'list' %>

Finally, specified before_filter to each action.

app/controllers/<controllername>controller.rb

class <ControllerName>Controller < ApplicationController
  before_filter :validate_session, :only => [:create, :update, :destroy]

  ...
end

scaffold generates code to destory by GET, so I added a view for confirmation and added a form to destroy by POST.

Posted in Rails | no comments | no trackbacks

typo on mod_ruby

Posted by: Shugo Maeda Thu, 04 Aug 2005 02:29:00 GMT

I'm running typo on mod_ruby. It works fine, but some trivial fixes are required. If you want to run typo by Apache::RailsDispatcher, please apply the following patch.

=== config/environment.rb
==================================================================
--- config/environment.rb  (revision 264)
+++ config/environment.rb  (local)
@@ -82,7 +82,8 @@

 # Include your app's configuration here:
 $KCODE = 'u'
-require_dependency 'jcode'
+#require_dependency 'jcode'
+require 'jcode'
 require_dependency 'aggregations/delicious'
 require_dependency 'aggregations/tada'
 require_dependency 'aggregations/flickr'
@@ -96,4 +97,4 @@

 ActiveSupport::CoreExtensions::Time::Conversions::DATE_FORMATS.merge!(
   :long_weekday => '%a %B %e, %Y %H:%M'
-)
\ No newline at end of file
+)
=== lib/spam_protection.rb
==================================================================
--- lib/spam_protection.rb  (revision 264)
+++ lib/spam_protection.rb  (local)
@@ -111,7 +111,7 @@
   end
 end

-module ActiveRecord
+ActiveRecord.module_eval(<<EOF)
   module Validations
     module ClassMethods
       def validates_against_spamdb(*attr_names)
@@ -133,4 +133,4 @@
       end
     end
   end
-end
\ No newline at end of file
+EOF
=== lib/transforms.rb
==================================================================
--- lib/transforms.rb  (revision 264)
+++ lib/transforms.rb  (local)
@@ -12,7 +12,7 @@
   text.gsub(tag, '').gsub(/\s+/, ' ').strip
 end

-class String
+class Object::String
   # Converts a post title to its-title-using-dashes
   # All special chars are stripped in the process  
   def to_url
@@ -35,4 +35,4 @@

     result
   end
-end
\ No newline at end of file
+end

Posted in mod_ruby, Rails | no comments | no trackbacks

mod_ruby vs FastCGI on Rails

Posted by: Shugo Maeda Wed, 03 Aug 2005 22:33:00 GMT

I'm reading Agile Web Development with Rails. This book is quite good. It's easy to read for non-native English speakers like me, but the content is exciting. If you're trying to use Rails, you should read this book.

But I felt sad to read these paragraphs (p.459).

Additionally, the FastCGI processes are not married to the web server process, so you can have 100 web server processes that deal with all the static requests and perhaps just 10 FastCGIs dealing with the dynamic requests. This isn't the case with servlets, CGI, and even mod_ruby (another deprecated approach to serving applications for Rails).

This is crucially important for memory consumption, as a single Apache instance will eat only about 5MB when doing static serving but can easily take 20-30MB if it needs to host the Ruby interpreter with a loaded application. Having 100 Apaches with 10 FastCGIs will use only 800MB of memory while having 100 Apaches each containing mod_ruby process can easily use 3GB of memory. RAM may be cheap, but there’s no reason to be such a spendthrift about it.

I admit that FastCGI gives a better performance than (at least current Rails support of) mod_ruby, but this comparison is not fair. Usually, mod_ruby users run another Apache instance (or light Web server like lighttpd) for static requests in such a serious situation, so there is no need to have 100 Apache processes for mod_ruby.

Posted in mod_ruby, Rails | no comments | no trackbacks

Running Rails on mod_ruby

Posted by: Shugo Maeda Wed, 03 Aug 2005 05:34:00 GMT

I implemented Apache::RailsDispatcher to run Rails applications on mod_ruby. You have to use the SVN HEAD version of mod_ruby to use it.

Apache::RailsDispatcher can run multiple applications in the same process. It works like this:

  • require loads libraries into the top level, and they are shared with all applications.
  • require_dependency loads libraries into an anonymous module for each application.
  • In the development environment, the anonymous module is orphaned on each request. So required_dependency loads libraries every time.
  • In the production environment, the same anonymous module is used for the same application. So required_dependency loads libraries only at once.
  • Rails configurations such as ActiveRecord::Base.colorize_logging are reset on each request.

This hack is just a workaround until YARV supports multiple VM instances. We can get it in the near future, I hope.

To use Apache::RailsDispatcher, you have to write the following configuration in httpd.conf.

RubySafeLevel 0
# If you use RubyGem
# RubyRequire rubygems
RubyRequire apache/rails-dispatcher
RubyTransHandler Apache::RailsDispatcher.instance
<Location /appname>
  SetHandler ruby-object
  RubyHandler Apache::RailsDispatcher.instance
  RubyOption rails_uri_root /appname
  RubyOption rails_root /path/to/rails/root
  RubyOption rails_env production
</Location>

Please note that you can't override exinting classes like this:

class Array
  def cycle()
    self.each_with_index {|o, i| yield(o, %w(odd even)[i % 2])}
  end
end

You should prepend Object:: to the class name:

class Object::Array
  def cycle()
    self.each_with_index {|o, i| yield(o, %w(odd even)[i % 2])}
  end
end

This behaivour is same as Kernel.load(filename, true). If you don't like this, please convince Matz to change it.

Posted in mod_ruby, Rails | no comments | no trackbacks

Started blog

Posted by: Shugo Maeda Wed, 03 Aug 2005 03:48:00 GMT

I started blog to learn English. Please fix my funny English!

Posted in Misc | no comments | no trackbacks

Older Posts

Older posts: 1 2 3