[jifty-devel] Jifty::API changes

Shawn M Moore sartak at bestpractical.com
Thu Jan 24 08:37:08 EST 2008

Hello forest friends,

We've noticed recently that all Jifty apps suffer from one of these two

* vulnerability to XSS attacks
* incomplete REST interface

The first is that arbitrary actions can be run on GET requests. For

    <img src="http://your.app/static/logo.png?J:A-fnord=TestApp::Action::UpdateUser&J:A:F:F-password=seecrit">

The defense against this is to disable all actions on GET requests. This
change has been made in Jifty, r4922. Your application must now
whitelist any known-to-be-safe actions, such as with this:

    before '*' => run { Jifty->api->allow('OurCustomSearch') };

We'll be releasing a new Jifty to CPAN shortly with this fix. In the
meantime, you can install a hotfix to deny all actions on GET:

    before GET '*' => run { Jifty->api->deny(qr/.*/) };

The other, way less serious issue, is that the REST interface shows only
*allowed* actions for GET /=/action. What we now have is a way to
distinguish between "allowed actions" and "introspectable actions".
Denied actions are for when the request is invalid (such as a GET).
Invisible actions are for when the user should not be able to see the
action (such as an admin-only action).

I don't know of any applications that use Jifty->api->deny to mean "the
user should not be able to see this action", but if you're out there,
you need to change it to Jifty->api->hide.

    before '*' => run { Jifty->api->hide('PuntUser') };

Please let us know if this causes big headaches. We don't like breaking
backwards compatibility, but this is a huge security problem.

Shawn M Moore,
for Best Practical

More information about the jifty-devel mailing list