Railpad / Bugs / #55 Parameter validation

#55 Parameter validation

Milestone: v1.0 (example)

Status: open

Owner: Tim Prouty

Labels: Core Architecture (20)

Priority: 5

Updated: 2006-06-27

Created: 2006-06-27

Creator:

Private: No

When print ID can not be found, it can dump out all
session info as well as trace stack info.

http://foo.com/document/print/1 - ok
http://foo.com/document/print/AAAA
http://foo.com/document/print/34343434
Exception thrown

Current user sensetive info available:
user: &id001 !ruby/object:User
attributes:
salt: (Value here)
updated_at: (Time_Stamp here)
delete_after:
security_token:
2a255f443597dc7d791cb7f2bccdbf6c38556f7f
role:
lastname:
firstname:
id: "11"
deleted: "0"
token_expiry: 2006-06-27 23:47:10
verified: "1"
access: "30"
logged_in_at:
salted_password: (Hashed_pass here)
login: tester
created_at: 2006-06-26 23:47:10
email:
errors: !ruby/object:ActiveRecord::Errors
base: *id001
errors: {}

flash: !map:ActionController::Flash::FlashHash {}

Discussion

Anonymous - 2006-06-27

Logged In: YES
user_id=1546717

The problem is essentially due to lacking validation of
parameter validation, so when parameter (e.g:document_id,
id) receive unexpected value, exception will be thrown which
is too helpful for an attacker,remedy will be do a proper
input and parameter validation, make a whitelist input and
not dump debugging info to public user,make it only
available to admin or admin user group would be good to go.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2006-06-27

summary: Stack info --> Parameter validation
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Parameter validation

Group

Searches

Help

#55 Parameter validation

Discussion