You are viewing an historical archive of past issues. Please report new issues to the appropriate project issue tracker on GitHub.

Bug #1685: "Snowman" showing up in some URL query strings

Kind bug
Product wincent.dev
When Created , updated
Status closed
Reporter Greg Hurrell
Tags no tags

Description

Just noticed this URL in local testing:

http://localhost:3000/tags/search?utf8=✓&q=site&commit=Search

This is from the tags#search form, which submits itself via GET. Maybe I should change it to submit via POST.

Must also check for any other such forms in the codebase.

Comments

  1. Greg Hurrell

    According to Ack, these are the only places where I have a GET form: 

    app/views/articles/index.html.haml
27:=form_tag search_tags_path, :method => 'get' do

app/views/tags/search.html.haml
10:  =form_tag search_tags_path, :method => 'get' do

    I can't remember right now why I chose to use a GET form; probably something to do with page caching and forgery protection tokens. Can always just turn off the tokens for the tags#search action using skip_before_filter :verify_authenticity_token, :only => :search, and suppress the insertion of the token in the form itself.

    Just need to review the security consequences of doing so first.

  2. Greg Hurrell

    Unfortunately there is no way to "suppress" the insertion of the token. I suppose I could turn off forgery protection entirely just while rendering the form, but that seems horribly kludgey.

    The only way around this, then, is to hand-code the form, and if I do that I lose the auto-inserted snowman, so will have to recreate that by hand. Such is life, I guess.

    As far as security is concerned, there is no need for CSRF protection here because we're talking about a non-destructive action (ie. not a create, delete or update).

  3. Greg Hurrell

    Ok, done. Hand-coded forms. Will be included in next deployment.

  4. Greg Hurrell

    Status changed:

    • From: new
    • To: closed
Add a comment

Comments are now closed for this issue.

Menu