An issue for consideration

[Bluebie, Jenna]

We've just come across an issue for consideration. I am avoiding some  
words which would allow people to find this message in an internet  
search who have questionable intentions, but wish to communicate a  
strong sense of caution. Consider someone who adds extra methods to  
their controller which they use in their main get/post methods to do  
things or to get secret data. Consider now, this http request:

> FOO / HTTP/1.1


And consider that camping allows methods to return a string and have  
that returned as a body. This could make for a lovely convenient form  
of RPC, but to those unaware, it seems there could be negative  
results. Aria has discovered with some testing that it is also  
possible to access helper methods remotely in this way, which is  
especially worth consideration as some of us use helper methods to do  
important things, and do not expect them to be directly accessible to  
the outside world.

In my own app, I will be using a service to filter all requests which  
don't use a standard http method. I'd like to suggest that in the next  
release of camping, we could do something like return unless ['GET',  
'POST', 'DELETE', 'HEAD'].include?(request_method), perhaps in the run  
method of camping. Or maybe we could raise an error. I'd also  
appreciate it if this update were deployed to rubygems servers without  
haste. I'll be sure to post the service I write to work around this  
issue just as soon as I'm done writing it.


—
Thoughtful Pony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/camping-list/attachments/20080523/15535691/attachment.html>