Is it safe to accept URL parameters for populating the `url_for` method?

前端未结

关注

 3  527

春和景丽 2021-01-19 21:39

I am using Ruby on Rails 4.1.1 and I am thinking to accept parameters (through URL query strings) that are passed directly to the url_for method, this way:

3条回答

长情又很酷 (楼主)

2021-01-19 22:41
Rails redirect_to sets the HTTP status code to 302 Found which tells the browser to GET the new path as you defined it by url_for. GET is a considered a safe method in contrast to

... methods such as POST, PUT, DELETE and PATCH [which] are intended for actions that may cause side effects either on the server, or external side effects ...

The only problem would have been if someone could gain access to methods such as create and destroy. Since these methods use HTTP methods other than GET (respectively POST and DELETE) it should be no problem.

Another danger here is if you go beyond CRUD methods of REST and have a custom method which responses to GET and changes the database state:

routes.rb
```
resources something do
  member do
    get :my_action
  end
end
```
SomethingController
```
def my_action
  # delte some records
end
```
For future ref:

Rails has a number of security measurements which may also interest you.
0 讨论(0)

查看其它3个回答
发布评论:

提交评论
- 加载中...