Is this a necessary precaution?

anonymous · March 9, 2007, 1:49am

If I’m not mistaken, a user can send POST data from outside of a web
browser; I think this is something that is done to brute-force form
logins, or to automate spam, etc.

In my app, which operates like a forum, Comment objects have a boolean
attribute “sticky” which determines if that Comment is displayed before
all other comments.

I was thinking, what would happen if a user forcefully sent “sticky =>
true” in POST data? I would imagine my app’s new_comment action would
simply create a new object from that data and falsely make his or her
post a sticky-post. Is this a possibility, and is it something I should
be trying to prevent? Just something I recently pondered.

anonymous · March 9, 2007, 2:28am

On Mar 8, 2007, at 7:49 PM, Anonymous wrote:

If I’m not mistaken, a user can send POST data from outside of a web
browser; I think this is something that is done to brute-force form
logins, or to automate spam, etc.

Yes, and often for testing.

be trying to prevent? Just something I recently pondered.
That is a danger if you’re doing something like:

MyModel.create(params[:my_model])

without checking the param values .

You probably want to take a look at the attr_protected method:

http://rails.rubyonrails.org/classes/ActiveRecord/Base.html#M001005

James.

–
James S.
Play: http://james.anthropiccollective.org
Work: Processing Greenbelt 2009 – James Stewart

anonymous · March 9, 2007, 2:47am

Yes, this is the reason for captchas and user-logins. You should be
actively thinking about how people can attack your app from both
within and without a web browser.

If you’re allowing your objects to be modified via POSTs, you should
probably authenticate the call first. You have some sort of login
system, right?

anonymous · March 9, 2007, 2:50am

Ah okay, I was right.

I was preventing it by: self[:sticky] = nil during before_create. I was
previously unaware of attr_protected which is obviously a much cleaner
solution. Thanks.

Yes, and often for testing.
Sigh. One day I’ll actually learn how to do this. I don’t know why
I’ve allowed myself to go so long without.

anonymous · March 9, 2007, 3:27am

You might want to check out this link[1] as well. It cautions about
your very problem, and has a few other precautions you can take to
harden your application.

Nelson

[1] Peak Obsession

Anonymous wrote:

Ah okay, I was right.

I was preventing it by: self[:sticky] = nil during before_create. I was
previously unaware of attr_protected which is obviously a much cleaner
solution. Thanks.

Yes, and often for testing.
Sigh. One day I’ll actually learn how to do this. I don’t know why
I’ve allowed myself to go so long without.