返回列表 发帖
弯月圆刀

Rank: 8Rank: 8
1# 跳转到 » 倒序看帖
打印
tT
发表于 2008-2-8 10:17 | 只看该作者

rails2.0中的protect_from_forgery

rails2.0为了防范CSRF (Cross-Site Request Forgery)攻击,提供了一个小小的手段,那就是protect_from_forgery,对于从1.x升级而来的我,确为此头疼了几个小时。

按照1.x的惯例,我写了几个接受post方法的action,并且在其中设置了断点,然后debug,但是无论怎样,程序在断点处都不会停住。而采用get方法直接访问,就会在断点处停止。最开始怀疑的是Module ActionController::Verification::ClassMethods中的verify方法,是不是不允许post访问,结果试了几次,发现症状不同。所以继续思考,这个时候基本上已经是确定filter环节的问题,因为这些action是通过ajax调用,所以看不到错误信息,为了看到错误信息,手动写了个form,然后执行submit,结果出现错误页面如下:
  1. ActionController::InvalidAuthenticityToken in WelcomeController#auto_complete_for_welcome_to

  3. ActionController::InvalidAuthenticityToken

  5. RAILS_ROOT: D:/My Documents/NetBeansProjects/MovieShowtimes
  6. Application Trace | Framework Trace | Full Trace

  8. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/request_forgery_protection.rb:79:in `verify_authenticity_token'
  9. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:469:in `call'
  10. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:441:in `run'
  11. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:716:in `run_before_filters'
  12. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:695:in `call_filters'
  13. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:689:in `perform_action_without_benchmark'
  14. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
  15. C:/ruby/lib/ruby/1.8/benchmark.rb:293:in `measure'
  16. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
  17. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/rescue.rb:199:in `perform_action_without_caching'
  18. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:678:in `perform_action'
  19. C:/ruby/lib/ruby/gems/1.8/gems/activerecord-2.0.2/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
  20. C:/ruby/lib/ruby/gems/1.8/gems/activerecord-2.0.2/lib/active_record/query_cache.rb:8:in `cache'
  21. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:677:in `perform_action'
  22. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:524:in `process_without_filters'
  23. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:685:in `process_without_session_management_support'
  24. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:123:in `process'
  25. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:388:in `process'
  26. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:171:in `handle_request'
  27. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:115:in `dispatch'
  28. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:126:in `dispatch_cgi'
  29. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:9:in `dispatch'
  30. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/webrick_server.rb:112:in `handle_dispatch'
  31. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/webrick_server.rb:78:in `service'
  32. C:/ruby/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
  33. C:/ruby/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
  34. C:/ruby/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
  35. C:/ruby/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
  36. C:/ruby/lib/ruby/1.8/webrick/server.rb:95:in `start'
  37. C:/ruby/lib/ruby/1.8/webrick/server.rb:92:in `start'
  38. C:/ruby/lib/ruby/1.8/webrick/server.rb:23:in `start'
  39. C:/ruby/lib/ruby/1.8/webrick/server.rb:82:in `start'
  40. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/webrick_server.rb:62:in `dispatch'
  41. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/servers/webrick.rb:66
  42. C:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require'
  43. C:/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:496:in `require'
  44. C:/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:342:in `new_constants_in'
  45. C:/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:496:in `require'
  46. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/server.rb:39
  47. C:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require'
  48. script\server:3

  50. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/request_forgery_protection.rb:79:in `verify_authenticity_token'
  51. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:469:in `call'
  52. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:441:in `run'
  53. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:716:in `run_before_filters'
  54. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:695:in `call_filters'
  55. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:689:in `perform_action_without_benchmark'
  56. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
  57. C:/ruby/lib/ruby/1.8/benchmark.rb:293:in `measure'
  58. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
  59. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/rescue.rb:199:in `perform_action_without_caching'
  60. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:678:in `perform_action'
  61. C:/ruby/lib/ruby/gems/1.8/gems/activerecord-2.0.2/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
  62. C:/ruby/lib/ruby/gems/1.8/gems/activerecord-2.0.2/lib/active_record/query_cache.rb:8:in `cache'
  63. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:677:in `perform_action'
  64. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:524:in `process_without_filters'
  65. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:685:in `process_without_session_management_support'
  66. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:123:in `process'
  67. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:388:in `process'
  68. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:171:in `handle_request'
  69. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:115:in `dispatch'
  70. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:126:in `dispatch_cgi'
  71. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:9:in `dispatch'
  72. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/webrick_server.rb:112:in `handle_dispatch'
  73. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/webrick_server.rb:78:in `service'
  74. C:/ruby/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
  75. C:/ruby/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
  76. C:/ruby/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
  77. C:/ruby/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
  78. C:/ruby/lib/ruby/1.8/webrick/server.rb:95:in `start'
  79. C:/ruby/lib/ruby/1.8/webrick/server.rb:92:in `start'
  80. C:/ruby/lib/ruby/1.8/webrick/server.rb:23:in `start'
  81. C:/ruby/lib/ruby/1.8/webrick/server.rb:82:in `start'
  82. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/webrick_server.rb:62:in `dispatch'
  83. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/servers/webrick.rb:66
  84. C:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require'
  85. C:/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:496:in `require'
  86. C:/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:342:in `new_constants_in'
  87. C:/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:496:in `require'
  88. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/server.rb:39
  89. C:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require'
  90. C:/ruby/lib/ruby/gems/1.8/gems/ruby-debug-ide-0.1.9/lib/ruby-debug.rb:79:in `main'
  91. C:/ruby/lib/ruby/gems/1.8/gems/ruby-debug-ide-0.1.9/bin/rdebug-ide:74
  92. C:/ruby/bin/rdebug-ide:19

  94. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/request_forgery_protection.rb:79:in `verify_authenticity_token'
  95. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:469:in `call'
  96. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:441:in `run'
  97. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:716:in `run_before_filters'
  98. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:695:in `call_filters'
  99. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:689:in `perform_action_without_benchmark'
  100. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
  101. C:/ruby/lib/ruby/1.8/benchmark.rb:293:in `measure'
  102. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
  103. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/rescue.rb:199:in `perform_action_without_caching'
  104. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:678:in `perform_action'
  105. C:/ruby/lib/ruby/gems/1.8/gems/activerecord-2.0.2/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
  106. C:/ruby/lib/ruby/gems/1.8/gems/activerecord-2.0.2/lib/active_record/query_cache.rb:8:in `cache'
  107. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:677:in `perform_action'
  108. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:524:in `process_without_filters'
  109. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:685:in `process_without_session_management_support'
  110. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:123:in `process'
  111. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:388:in `process'
  112. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:171:in `handle_request'
  113. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:115:in `dispatch'
  114. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:126:in `dispatch_cgi'
  115. C:/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:9:in `dispatch'
  116. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/webrick_server.rb:112:in `handle_dispatch'
  117. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/webrick_server.rb:78:in `service'
  118. C:/ruby/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
  119. C:/ruby/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
  120. C:/ruby/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
  121. C:/ruby/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
  122. C:/ruby/lib/ruby/1.8/webrick/server.rb:95:in `start'
  123. C:/ruby/lib/ruby/1.8/webrick/server.rb:92:in `start'
  124. C:/ruby/lib/ruby/1.8/webrick/server.rb:23:in `start'
  125. C:/ruby/lib/ruby/1.8/webrick/server.rb:82:in `start'
  126. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/webrick_server.rb:62:in `dispatch'
  127. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/servers/webrick.rb:66
  128. C:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require'
  129. C:/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:496:in `require'
  130. C:/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:342:in `new_constants_in'
  131. C:/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:496:in `require'
  132. C:/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/server.rb:39
  133. C:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require'
  134. script\server:3
  135. C:/ruby/lib/ruby/gems/1.8/gems/ruby-debug-ide-0.1.9/lib/ruby-debug.rb:79:in `main'
  136. C:/ruby/lib/ruby/gems/1.8/gems/ruby-debug-ide-0.1.9/bin/rdebug-ide:74
  137. C:/ruby/bin/rdebug-ide:19

  139. Request

  141. Parameters:

  143. {"hello"=>""}

  145. Show session dump

  147. ---
  148. :csrf_id: 5572f6d5836d99a6e665ce88f664c741
  149. flash: !map:ActionController::Flash::FlashHash {}


  152. Response

  154. Headers:

  156. {"cookie"=>[],
  157. "Cache-Control"=>"no-cache"}
复制代码
这样一来,事实就清楚了,请查看:
http://api.rubyonrails.org/class ... n/ClassMethods.html

就可以解决一切问题了。
收藏 分享

返回列表