nachbar (45) [Avatar] Offline
#1
The book talks about commenting out protect_from_forgery, and then uncommenting it in iteration 5 without mentioning what had changed to allow protect_from_forgery to be used.

In reviewing old vs. new rails code (particularly vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb), it appears that the older versions of rails did not run the forgery protection check for .xml requests, but the newer versions do. Thus, unless you are manually adding the appropriate parameters (see the above file for the current test being done to see if the form request is forged), you will fail the forgery test unless you prevent the test from running. More info on that here:

http://ryandaigle.com/articles/2007/9/24/what-s-new-in-edge-rails-better-cross-site-request-forging-prevention

at a minimum you will need:
skip_before_filter :verify_authenticity_token
in your sessions_controller.rb to avoid the ioError 2032.

You can track this error down by adding a fault event handler to the HTTPService (e.g. in LoginBox.mxml on page 153). You can also look at the output from the server (the "ruby scriptserver" command) which will show status code 422 instead of 200 for the "session.xml" request.

For a more detailed look, go to the rails log at logdevelopment.log and look at the end for the most recent error. It will show that ActionController::InvalidAuthenticityToken was thrown by /vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb:86:in `verify_authenticity_token'

CSRF attacks are not so relevant for applications running within Flash Player (as opposed to, for example, applications running within a browser), since Flash Player won't go from one site to another.

If you want to continue to use forgery protection for the .html requests, the best solution is to

1) uncomment protect_from_forgery (so the protection token is generated),

2) skip_before_filter :verify_authenticity_token in the controllers that need to allow .xml to be served without the forgery protection, and then

3) call "verify_authenticity_token" (the same call used by request_forgery_protection.rb) within the .html generation code that you want to protect. verify_authenticity_token will throw the InvalidAuthenticityToken exception if the token is not correct.

If you want to protect your .xml calls too, the check within verify_authenticity_token is:
form_authenticity_token == params[request_forgery_protection_token]
so you would need to get your rails app to send the form_authenticity_token to the Flex client when the session is created, and then your subsequent calls will need to set the "request_forgery_protection_token" param.

James Nachbar
http://www.plastic.org
Atmos (2) [Avatar] Offline
#2
Re: protect_from_forgery problem with Rails 2.1 produces ioError 2032
Hello. Yes I too had this issue. I followed your suggestions which were spot on.

I am now stuck on 6.10, Page 199.

The refresh of the Task list, post the 'POST' of task.xml create, does not work.
It is the same security error. I now get this even after I have commented out the protect_from_forgery. I first tried to add skip_before_filter :verify_authenticity_token
to the TasksController, but to no avail. I thought that it may of been an action script issue with the super constructor to have the optional bubbles = true parameter, that appeared to have no effect.

Rather than just give up, I would much rather solve this issue, but I am running out of options and thought it best to attach to this thread, as it is related.

class ApplicationController < ActionController::Base
...
##protect_from_forgery >>> this may be causing a headache for this tutorial when XML mime types / format > renders are concerned.

#handleTaskCreateFault:
#Code:Server.Error.Request
#Detail:Error: [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2032"]. URL: /tasks.xml
#String:HTTP request error
#Cause:[IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2032"]
...

Thank you for your help. cheers!
peterarmstrong (94) [Avatar] Offline
#3
Re: protect_from_forgery problem with Rails 2.1 produces ioError 2032
Hi all,

The book was written against Rails 2.0.x, not Rails 2.1.

The protect_from_forgery situation is worse now.

We are looking into this as part of our work on the Ruboss Framework, but for now to follow along with the book just disable protect_from_forgery for the time being...

Thanks,
Peter
Atmos (2) [Avatar] Offline
#4
Re: protect_from_forgery problem with Rails 2.1 produces ioError 2032 - Fix
Hello. Thank you for your reply.

I initially had it turned on per the instructions, then removed it completely.

To be quite clear, I have already searched the entire workspace for the

protect_from_forgery; all occurrences have been removed.

Along with multiple rebuilds, it still did NOT allow the Create Tasks to refresh the list and still gives the same Error #2032.

handleTaskCreateFault:
Code:Server.Error.Request
Detail:Error: [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2032"]. URL: /tasks.xml
String:HTTP request error
Cause:[IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2032"]

I though I was approaching the dreaded "ID10T" Error ...

until I made this change ...

I played around with the HTTPService request within TaskCreateBox.mxml ...

I found that if I change from url="/tasks.xml" to url="/tasks", then it worked.
I did test this just to make sure by putting it back in and it broke again.

...
<mx:HTTPService >
id="svcTasksCreate"
>>line changed>> url="/tasks"
contentType="application/xml"
...

This certantly worked and there was much elation, however I wonder if anyone may offer some illumination considering my almost nil rails and Flex experience.

within rake routes ...

...
formatted_tasks GET /tasks.:format {:action=>"index", :controller=>"tasks"}
POST /tasks {:action=>"create", :controller=>"tasks"}
POST /tasks.:format {:action=>"create", :controller=>"tasks"}
...

Perhaps there is an issue with the "POST /tasks.:format" and not with the "POST /tasks" ?

Thank you.
nachbar (45) [Avatar] Offline
#5
Re: protect_from_forgery problem with Rails 2.1 produces ioError 2032
Update for Rails 2.2: According to the release notes: “Request forgery protection has been tightened up to apply to HTML-formatted content requests only” in Rails 2.2 — I have not tested this, but it should obviate the problem addressed in this post for Rails 2.2 and newer.
omichowdhury (3) [Avatar] Offline
#6
Re: protect_from_forgery problem with Rails 2.1 produces ioError 2032
Hi All,

I had the same issue with Rails 2.2.2 during iteration 5, but it was fixed with the patch suggested by nachbar.

It seems that non-HTML content is still being asked for Auth Tokens.
Rails throws an "ActionController::InvalidAuthenticityToken in SessionsController#create” error when you try to POST session.xml

Would this be a bug in Rails 2.2?

Omi