<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I was short on time and unfamiliar with the code when I put the fix in, which is why I went with the nuclear option of removing the before filter. I was a little surprised to see all tests passing with the before filter removed.<div><br></div><div>In addition to user-verification of the fix, we could use a test breaking the old version and working under david's new patch. Unfortunately I'm low on spare cycles . . .</div><div><div><br></div><div> - kevin<br><div><br><div><div>On Feb 25, 2009, at 11:00 AM, David Clements wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">In case it got lost in my grumpiness last night.<br><br>The patch to fix this issue simply turned off adapter support. Is that correct?<br><br>I sent a pull request from my fork <a href="http://github.com/digidigo/facebooker/tree/master">http://github.com/digidigo/facebooker/tree/master</a> which should fix the issue and preserve the behavior. If anyone is using Facebooker to run multiple apps or Bebo it would be great if you could check it out and make sure that it didn't break.<br> <br>Thanks,<br><br>Dave<br><br><div><span class="gmail_quote">On 2/24/09, <b class="gmail_sendername">vincent chu</b> <<a href="mailto:vincentchu@gmail.com">vincentchu@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Hi all ---<br><br>In the course of developing our Facebook connect app, we realized that there was a security hole in Facebooker that allows any malicious user to change the state of the Facebooker module and crash any controller/view that uses Facebooker to capture a Facebook session. For Facebook connect apps, this could potentially be in any view that uses the "set_facebook_session" before_filter.<br> <br>All the malicious user has to do is send a malformed HTTP request similar to:<br><br><a href="http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned</a><br> <br>The problem comes in the 'set_adapter' method of 'facebooker/lib/facebooker/rails/controller.rb' where Facebooker will attempt to load an adapter from the params hash if fb_sig_api_key is in the request (ignoring the configuration found in the facebooker.yml file). In this case, Facebooker would dutifully set the api_key to "you_are_pwned" and any subsequent call to Facebooker would try and use "you_are_pwned" as the api_key, causing it to crash the site. <br> <br>Kevin Lochner's already pushed an update to github, so update to the latest commit:<br><br>6a954874369354324d87b2fe09c24db4bd485faf<br><a href="http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf</a><br clear="all"> <br>Cheers,<br><br>Vince<br><br>----<br>Vincent Chu<br>Department of Applied Physics<br>Geballe Laboratory of Advanced Materials<br>McCullough Bldg. 318<br>476 Lomita Mall<br>Stanford, CA, 94305<br><br>Consider this:<br> "The smallest positive integer not definable in under eleven words."<br> <br>_______________________________________________<br> Facebooker-talk mailing list<br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Facebooker-talk@rubyforge.org">Facebooker-talk@rubyforge.org</a><br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://rubyforge.org/mailman/listinfo/facebooker-talk" target="_blank">http://rubyforge.org/mailman/listinfo/facebooker-talk</a><br> <br></blockquote></div><br> _______________________________________________<br>Facebooker-talk mailing list<br><a href="mailto:Facebooker-talk@rubyforge.org">Facebooker-talk@rubyforge.org</a><br>http://rubyforge.org/mailman/listinfo/facebooker-talk<br></blockquote></div><br></div></div></div></body></html>