Circumvent Rails CSRF Protection

There is a security-related bug in Ruby on Rails 2.1.x and all 2.2. pre-releases. The CSRF protection given by
the protect_from_forgery method may possibly be circumvented by a crafted request.

The problem is that Rails by design will not check the authenticity token if the request has certain content types that are typically not generated by browsers. According to the original security message, this list also includes “text/plain” which may be generated by browsers. This form data encoding roundup gives an overview of what can be generated by today’s browsers. See this changset for details of which content types will be checked.

Possible Exploit

The content type can be set with the enctype attribute in HTML forms:

<form method=”post” enctype=”text/plain” action=”<%= some_post_action_path(@var) %>”><%= submit_tag “Start” %></form>

This was found in this Lighthouse ticket. The original security message states that Rails does not parse the parameters for these requests. However, I was able to craft requests where all parameters where correctly parsed and used.

 

Temporary Solution

Users of 2.1.x releases are advised to insert the following code into a file in config/initializers/

Mime::Type.unverifiable_types.delete(:text)

Or you apply this patch for the 2.1.x releases. Users of Edge Rails should upgrade to the latest version.

 

Fixes

Fixes will be in Rails version 2.1.3 and 2.2.2.