An issue for consideration

[Aria Stewart]

On May 22, 2008, at 10:46 PM, Bluebie, Jenna wrote:

> We've just come across an issue for consideration. I am avoiding  
> some words which would allow people to find this message in an  
> internet search who have questionable intentions, but wish to  
> communicate a strong sense of caution. Consider someone who adds  
> extra methods to their controller which they use in their main get/ 
> post methods to do things or to get secret data. Consider now, this  
> http request:
>
>> FOO / HTTP/1.1
>
>
> And consider that camping allows methods to return a string and have  
> that returned as a body. This could make for a lovely convenient  
> form of RPC, but to those unaware, it seems there could be negative  
> results. Aria has discovered with some testing that it is also  
> possible to access helper methods remotely in this way, which is  
> especially worth consideration as some of us use helper methods to  
> do important things, and do not expect them to be directly  
> accessible to the outside world.
>
> In my own app, I will be using a service to filter all requests  
> which don't use a standard http method. I'd like to suggest that in  
> the next release of camping, we could do something like return  
> unless ['GET', 'POST', 'DELETE', 'HEAD'].include?(request_method),  
> perhaps in the run method of camping. Or maybe we could raise an  
> error. I'd also appreciate it if this update were deployed to  
> rubygems servers without haste. I'll be sure to post the service I  
> write to work around this issue just as soon as I'm done writing it.
>
>

return unless ['GET', 'POST', 'DELETE', 'HEAD'].include? 
(ControllerClass.instance_methods(false)) -- only use methods defined  
directly in the controller?

> —
> Thoughtful Pony
> _______________________________________________
> Camping-list mailing list
> Camping-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list

Aria Stewart
aredridel at nbtsc.org