aboutsummaryrefslogtreecommitdiffstats
path: root/railties/doc/guides/html/security.html
diff options
context:
space:
mode:
authorPratik Naik <pratiknaik@gmail.com>2009-01-16 04:34:34 +0000
committerPratik Naik <pratiknaik@gmail.com>2009-01-16 04:34:34 +0000
commitea21b23b92fec1eb5fcc180f8bc054151216538b (patch)
treeee6e833d61873ef019742809a53e4bc7ab26dca6 /railties/doc/guides/html/security.html
parent7d2e3ef315489d06e5074c2a7b9b6425aa3e74ce (diff)
downloadrails-ea21b23b92fec1eb5fcc180f8bc054151216538b.tar.gz
rails-ea21b23b92fec1eb5fcc180f8bc054151216538b.tar.bz2
rails-ea21b23b92fec1eb5fcc180f8bc054151216538b.zip
* Tabs -> Spaces in guides templates
* Move inline css to a file
Diffstat (limited to 'railties/doc/guides/html/security.html')
-rw-r--r--railties/doc/guides/html/security.html466
1 files changed, 149 insertions, 317 deletions
diff --git a/railties/doc/guides/html/security.html b/railties/doc/guides/html/security.html
index 4cbc8214b9..4751e9f92b 100644
--- a/railties/doc/guides/html/security.html
+++ b/railties/doc/guides/html/security.html
@@ -1,324 +1,156 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
- <title>Ruby On Rails Security Guide</title>
- <!--[if lt IE 8]>
- <script src="http://ie7-js.googlecode.com/svn/version/2.0(beta3)/IE8.js" type="text/javascript"></script>
- <![endif]-->
- <link href="stylesheets/base.css" media="screen" rel="Stylesheet" type="text/css" />
- <link href="stylesheets/forms.css" media="screen" rel="Stylesheet" type="text/css" />
- <link href="stylesheets/more.css" media="screen" rel="Stylesheet" type="text/css" />
- <style type="text/css">
- div#container {
- max-width: 900px;
- padding-bottom: 3em;
-}
-
-div#content {
- margin-left: 200px;
-}
-
-div#container.notoc {
- max-width: 600px;
-}
-
-.notoc div#content {
- margin-left: 0;
-}
-
-pre {
- line-height: 1.4em;
-}
-
-#content p tt {
- background: #eeeeee;
- border: solid 1px #cccccc;
- padding: 3px;
-}
-
-dt {
- font-weight: bold;
-}
-
-#content dt tt {
- font-size: 10pt;
-}
-
-dd {
- margin-left: 3em;
-}
-
-#content dt tt, #content pre tt {
- background: none;
- padding: 0;
- border: 0;
-}
-
-#content .olist ol {
- margin-left: 2em;
-}
-
-#header {
- position: relative;
- max-width: 840px;
- margin-left: auto;
- margin-right: auto;
-}
-
-#header.notoc {
- max-width: 580px;
-}
-
-#logo {
- position: absolute;
- left: 10px;
- top: 10px;
- width: 110px;
- height: 140px;
-}
-
-div#header h1#site_title {
- background: url('images/ruby_on_rails_by_mike_rundle2.gif') top left no-repeat;
- position: absolute;
- width: 392px;
- height: 55px;
- left: 145px;
- top: 20px;
- margin: 0;
- padding: 0;
-}
-
-#site_title span {
- display: none;
-}
-
-#site_title_tagline {
- display: none;
-}
-
-ul#navMain {
- position: absolute;
- margin: 0;
- padding: 0;
- top: 97px;
- left: 145px;
-}
-
-.left-floaty, .right-floaty {
- padding: 15px;
-}
-
-.admonitionblock,
-.tableblock {
- margin-left: 1em;
- margin-right: 1em;
- margin-top: 0.25em;
- margin-bottom: 1em;
-}
-
-.admonitionblock .icon {
- padding-right: 8px;
-}
-
-.admonitionblock .content {
- border: solid 1px #ffda78;
- background: #fffebd;
- padding: 10px;
- padding-top: 8px;
- padding-bottom: 8px;
-}
-
-.admonitionblock .title {
- font-size: 140%;
- margin-bottom: 0.5em;
-}
-
-.tableblock table {
- border: solid 1px #aaaaff;
- background: #f0f0ff;
-}
-
-.tableblock th {
- background: #e0e0e0;
-}
-
-.tableblock th,
-.tableblock td {
- padding: 3px;
- padding-left: 5px;
- padding-right: 5px;
-}
-
-.sidebarblock {
- margin-top: 0.25em;
- margin: 1em;
- border: solid 1px #ccccbb;
- padding: 8px;
- background: #ffffe0;
-}
-
-.sidebarblock .sidebar-title {
- font-size: 140%;
- font-weight: 600;
- margin-bottom: 0.3em;
-}
-
-.sidebarblock .sidebar-content > .para:last-child > p {
- margin-bottom: 0;
-}
-
-.sidebarblock .sidebar-title a {
- text-decoration: none;
-}
-
-.sidebarblock .sidebar-title a:hover {
- text-decoration: underline;
-}
-
- </style>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>Ruby On Rails Security Guide</title>
+ <!--[if lt IE 8]>
+ <script src="http://ie7-js.googlecode.com/svn/version/2.0(beta3)/IE8.js" type="text/javascript"></script>
+ <![endif]-->
+ <link href="stylesheets/base.css" media="screen" rel="Stylesheet" type="text/css" />
+ <link href="stylesheets/forms.css" media="screen" rel="Stylesheet" type="text/css" />
+ <link href="stylesheets/more.css" media="screen" rel="Stylesheet" type="text/css" />
</head>
<body>
- <div id="header" >
- <div id="logo">
- <a href="index.html" title="Ruby on Rails"><img src="images/rails_logo_remix.gif" alt="Rails" height="140" width="110" /></a>
- </div>
-
- <h1 id="site_title"><span>Ruby on Rails</span></h1>
- <h2 id="site_title_tagline">Sustainable productivity for web-application development</h2>
+ <div id="header" >
+ <div id="logo">
+ <a href="index.html" title="Ruby on Rails"><img src="images/rails_logo_remix.gif" alt="Rails" height="140" width="110" /></a>
+ </div>
+
+ <h1 id="site_title"><span>Ruby on Rails</span></h1>
+ <h2 id="site_title_tagline">Sustainable productivity for web-application development</h2>
- <ul id="navMain">
- <li class="first-child"><a href="http://www.rubyonrails.org/" title="Ruby on Rails" class="ruby_on_rails">Ruby on Rails</a></li>
- <li><a class="manuals" href="index.html" title="Manuals Index">Guides Index</a></li>
- </ul>
- </div>
+ <ul id="navMain">
+ <li class="first-child"><a href="http://www.rubyonrails.org/" title="Ruby on Rails" class="ruby_on_rails">Ruby on Rails</a></li>
+ <li><a class="manuals" href="index.html" title="Manuals Index">Guides Index</a></li>
+ </ul>
+ </div>
- <div id="container">
-
- <div id="sidebar">
- <h2>Chapters</h2>
- <ol>
- <li>
- <a href="#_introduction">Introduction</a>
- </li>
- <li>
- <a href="#_sessions">Sessions</a>
- <ul>
-
- <li><a href="#_what_are_sessions">What are sessions?</a></li>
-
- <li><a href="#_session_id">Session id</a></li>
-
- <li><a href="#_session_hijacking">Session hijacking</a></li>
-
- <li><a href="#_session_guidelines">Session guidelines</a></li>
-
- <li><a href="#_session_storage">Session storage</a></li>
-
- <li><a href="#_replay_attacks_for_cookiestore_sessions">Replay attacks for CookieStore sessions</a></li>
-
- <li><a href="#_session_fixation">Session fixation</a></li>
-
- <li><a href="#_session_fixation_countermeasures">Session fixation – Countermeasures</a></li>
-
- <li><a href="#_session_expiry">Session expiry</a></li>
-
- </ul>
- </li>
- <li>
- <a href="#_cross_site_reference_forgery_csrf">Cross-Site Reference Forgery (CSRF)</a>
- <ul>
-
- <li><a href="#_csrf_countermeasures">CSRF Countermeasures</a></li>
-
- </ul>
- </li>
- <li>
- <a href="#_redirection_and_files">Redirection and Files</a>
- <ul>
-
- <li><a href="#_redirection">Redirection</a></li>
-
- <li><a href="#_file_uploads">File uploads</a></li>
-
- <li><a href="#_executable_code_in_file_uploads">Executable code in file uploads</a></li>
-
- <li><a href="#_file_downloads">File downloads</a></li>
-
- </ul>
- </li>
- <li>
- <a href="#_intranet_and_admin_security">Intranet and Admin security</a>
- <ul>
-
- <li><a href="#_additional_precautions">Additional precautions</a></li>
-
- </ul>
- </li>
- <li>
- <a href="#_mass_assignment">Mass assignment</a>
- <ul>
-
- <li><a href="#_countermeasures">Countermeasures</a></li>
-
- </ul>
- </li>
- <li>
- <a href="#_user_management">User management</a>
- <ul>
-
- <li><a href="#_brute_forcing_accounts">Brute-forcing accounts</a></li>
-
- <li><a href="#_account_hijacking">Account hijacking</a></li>
-
- <li><a href="#_captchas">CAPTCHAs</a></li>
-
- <li><a href="#_logging">Logging</a></li>
-
- <li><a href="#_good_passwords">Good passwords</a></li>
-
- <li><a href="#_regular_expressions">Regular expressions</a></li>
-
- <li><a href="#_privilege_escalation">Privilege escalation</a></li>
-
- </ul>
- </li>
- <li>
- <a href="#_injection">Injection</a>
- <ul>
-
- <li><a href="#_whitelists_versus_blacklists">Whitelists versus Blacklists</a></li>
-
- <li><a href="#_sql_injection">SQL Injection</a></li>
-
- <li><a href="#_cross_site_scripting_xss">Cross-Site Scripting (XSS)</a></li>
-
- <li><a href="#_css_injection">CSS Injection</a></li>
-
- <li><a href="#_textile_injection">Textile Injection</a></li>
-
- <li><a href="#_ajax_injection">Ajax Injection</a></li>
-
- <li><a href="#_rjs_injection">RJS Injection</a></li>
-
- <li><a href="#_command_line_injection">Command Line Injection</a></li>
-
- <li><a href="#_header_injection">Header Injection</a></li>
-
- </ul>
- </li>
- <li>
- <a href="#_additional_resources">Additional resources</a>
- </li>
- <li>
- <a href="#_changelog">Changelog</a>
- </li>
- </ol>
- </div>
-
- <div id="content">
- <h1>Ruby On Rails Security Guide</h1>
- <div id="preamble">
+ <div id="container">
+
+ <div id="sidebar">
+ <h2>Chapters</h2>
+ <ol>
+ <li>
+ <a href="#_introduction">Introduction</a>
+ </li>
+ <li>
+ <a href="#_sessions">Sessions</a>
+ <ul>
+
+ <li><a href="#_what_are_sessions">What are sessions?</a></li>
+
+ <li><a href="#_session_id">Session id</a></li>
+
+ <li><a href="#_session_hijacking">Session hijacking</a></li>
+
+ <li><a href="#_session_guidelines">Session guidelines</a></li>
+
+ <li><a href="#_session_storage">Session storage</a></li>
+
+ <li><a href="#_replay_attacks_for_cookiestore_sessions">Replay attacks for CookieStore sessions</a></li>
+
+ <li><a href="#_session_fixation">Session fixation</a></li>
+
+ <li><a href="#_session_fixation_countermeasures">Session fixation – Countermeasures</a></li>
+
+ <li><a href="#_session_expiry">Session expiry</a></li>
+
+ </ul>
+ </li>
+ <li>
+ <a href="#_cross_site_reference_forgery_csrf">Cross-Site Reference Forgery (CSRF)</a>
+ <ul>
+
+ <li><a href="#_csrf_countermeasures">CSRF Countermeasures</a></li>
+
+ </ul>
+ </li>
+ <li>
+ <a href="#_redirection_and_files">Redirection and Files</a>
+ <ul>
+
+ <li><a href="#_redirection">Redirection</a></li>
+
+ <li><a href="#_file_uploads">File uploads</a></li>
+
+ <li><a href="#_executable_code_in_file_uploads">Executable code in file uploads</a></li>
+
+ <li><a href="#_file_downloads">File downloads</a></li>
+
+ </ul>
+ </li>
+ <li>
+ <a href="#_intranet_and_admin_security">Intranet and Admin security</a>
+ <ul>
+
+ <li><a href="#_additional_precautions">Additional precautions</a></li>
+
+ </ul>
+ </li>
+ <li>
+ <a href="#_mass_assignment">Mass assignment</a>
+ <ul>
+
+ <li><a href="#_countermeasures">Countermeasures</a></li>
+
+ </ul>
+ </li>
+ <li>
+ <a href="#_user_management">User management</a>
+ <ul>
+
+ <li><a href="#_brute_forcing_accounts">Brute-forcing accounts</a></li>
+
+ <li><a href="#_account_hijacking">Account hijacking</a></li>
+
+ <li><a href="#_captchas">CAPTCHAs</a></li>
+
+ <li><a href="#_logging">Logging</a></li>
+
+ <li><a href="#_good_passwords">Good passwords</a></li>
+
+ <li><a href="#_regular_expressions">Regular expressions</a></li>
+
+ <li><a href="#_privilege_escalation">Privilege escalation</a></li>
+
+ </ul>
+ </li>
+ <li>
+ <a href="#_injection">Injection</a>
+ <ul>
+
+ <li><a href="#_whitelists_versus_blacklists">Whitelists versus Blacklists</a></li>
+
+ <li><a href="#_sql_injection">SQL Injection</a></li>
+
+ <li><a href="#_cross_site_scripting_xss">Cross-Site Scripting (XSS)</a></li>
+
+ <li><a href="#_css_injection">CSS Injection</a></li>
+
+ <li><a href="#_textile_injection">Textile Injection</a></li>
+
+ <li><a href="#_ajax_injection">Ajax Injection</a></li>
+
+ <li><a href="#_rjs_injection">RJS Injection</a></li>
+
+ <li><a href="#_command_line_injection">Command Line Injection</a></li>
+
+ <li><a href="#_header_injection">Header Injection</a></li>
+
+ </ul>
+ </li>
+ <li>
+ <a href="#_additional_resources">Additional resources</a>
+ </li>
+ <li>
+ <a href="#_changelog">Changelog</a>
+ </li>
+ </ol>
+ </div>
+
+ <div id="content">
+ <h1>Ruby On Rails Security Guide</h1>
+ <div id="preamble">
<div class="sectionbody">
<div class="paragraph"><p>This manual describes common security problems in web applications and how to avoid them with Rails. If you have any questions or suggestions, please
mail me, Heiko Webers, at 42 {<em>et</em>} rorsecurity.info. After reading it, you should be familiar with:</p></div>
@@ -449,7 +281,7 @@ The client can see everything you store in a session, because it is stored in cl
<div class="literalblock">
<div class="content">
<pre><tt>config.action_controller.session = {
- :session_key =&gt; ‘_app_session’,
+ :key =&gt; ‘_app_session’,
:secret =&gt; ‘0x0dkfj3927dkc7djdh36rkckdfzsg...’
}</tt></pre>
</div></div>
@@ -1315,7 +1147,7 @@ November 1, 2008: First approved version by Heiko Webers
</ul></div>
</div>
- </div>
- </div>
+ </div>
+ </div>
</body>
</html>