[jifty-devel] Jifty::API changes
Shawn M Moore
sartak at bestpractical.com
Thu Jan 24 08:37:08 EST 2008
Hello forest friends,
We've noticed recently that all Jifty apps suffer from one of these two
problems:
* vulnerability to XSS attacks
* incomplete REST interface
The first is that arbitrary actions can be run on GET requests. For
example:
<img src="http://your.app/static/logo.png?J:A-fnord=TestApp::Action::UpdateUser&J:A:F:F-password=seecrit">
The defense against this is to disable all actions on GET requests. This
change has been made in Jifty, r4922. Your application must now
whitelist any known-to-be-safe actions, such as with this:
before '*' => run { Jifty->api->allow('OurCustomSearch') };
We'll be releasing a new Jifty to CPAN shortly with this fix. In the
meantime, you can install a hotfix to deny all actions on GET:
before GET '*' => run { Jifty->api->deny(qr/.*/) };
The other, way less serious issue, is that the REST interface shows only
*allowed* actions for GET /=/action. What we now have is a way to
distinguish between "allowed actions" and "introspectable actions".
Denied actions are for when the request is invalid (such as a GET).
Invisible actions are for when the user should not be able to see the
action (such as an admin-only action).
I don't know of any applications that use Jifty->api->deny to mean "the
user should not be able to see this action", but if you're out there,
you need to change it to Jifty->api->hide.
before '*' => run { Jifty->api->hide('PuntUser') };
Please let us know if this causes big headaches. We don't like breaking
backwards compatibility, but this is a huge security problem.
Shawn M Moore,
for Best Practical
More information about the jifty-devel
mailing list