_build/static/archives/extend/attachments/20130415/59aaeef2/attachment.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

<tt>
&lt;div&nbsp;dir=&quot;ltr&quot;&gt;Loic,&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;div&nbsp;style&gt;After&nbsp;giving&nbsp;the&nbsp;CSRF&nbsp;middleware&nbsp;some&nbsp;thought&nbsp;and&nbsp;reading &lt;a&nbsp;href=&quot;https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL&quot;&gt;https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL&lt;/a&gt; I&nbsp;came&nbsp;to&nbsp;conclusion&nbsp;that&nbsp;it&nbsp;is&nbsp;best&nbsp;to&nbsp;just&nbsp;not&nbsp;create&nbsp;the&nbsp;middleware&nbsp;and&nbsp;instead&nbsp;deal&nbsp;with&nbsp;CSRF&nbsp;on&nbsp;as&nbsp;needed&nbsp;basis. &lt;/div&gt;<br>
&lt;div&nbsp;style&gt;&lt;br&gt;&lt;/div&gt;&lt;div&nbsp;style&gt;I&nbsp;know&nbsp;that&nbsp;node&#39;s&nbsp;Connect&nbsp;middleware &lt;a&nbsp;href=&quot;http://www.senchalabs.org/connect/csrf.html#defaultValue&quot;&gt;http://www.senchalabs.org/connect/csrf.html#defaultValue&lt;/a&gt; for&nbsp;example&nbsp;allows&nbsp;for&nbsp;the&nbsp;csrf&nbsp;token&nbsp;to&nbsp;be&nbsp;passed&nbsp;as&nbsp;a&nbsp;query&nbsp;string&nbsp;parameter,&nbsp;however,&nbsp;the&nbsp;OWASP&nbsp;article&nbsp;made&nbsp;me&nbsp;think&nbsp;that&nbsp;it&nbsp;is&nbsp;not&nbsp;the&nbsp;most&nbsp;secure&nbsp;approach.&lt;/div&gt;<br>
&lt;div&nbsp;style&gt;&lt;br&gt;&lt;/div&gt;&lt;div&nbsp;style&gt;For&nbsp;example,&nbsp;AngularJS &lt;a&nbsp;href=&quot;http://docs.angularjs.org/api/ng.$http&quot;&gt;http://docs.angularjs.org/api/ng.$http&lt;/a&gt; has&nbsp;a&nbsp;section&nbsp;on&nbsp;how&nbsp;their&nbsp;AJAX&nbsp;component&nbsp;behaves&nbsp;to&nbsp;do&nbsp;CSRF&nbsp;out&nbsp;of&nbsp;the&nbsp;box,&nbsp;and&nbsp;they&nbsp;are&nbsp;talking&nbsp;about&nbsp;the&nbsp;server&nbsp;sending&nbsp;a&nbsp;cookie &lt;span&nbsp;style=&quot;color:rgb(51,51,51);font-family:monospace;font-size:12.800000190734863px;line-height:18px&quot;&gt;XSRF-TOKEN &lt;/span&gt;that&nbsp;is&nbsp;not&nbsp;HttpOnly.&nbsp;That&nbsp;makes&nbsp;me&nbsp;realize&nbsp;that&nbsp;csrf&nbsp;is&nbsp;a&nbsp;process&nbsp;more&nbsp;than&nbsp;just&nbsp;slapping&nbsp;some&nbsp;middleware&nbsp;into&nbsp;the&nbsp;pipeline.&lt;/div&gt;<br>
&lt;div&nbsp;style&gt;&lt;br&gt;&lt;/div&gt;&lt;div&nbsp;style&gt;Btw,&nbsp;I&nbsp;noticed&nbsp;that&nbsp;when&nbsp;the&nbsp;result&nbsp;of&nbsp;the&nbsp;middleware&nbsp;execute&nbsp;function&nbsp;is:&lt;/div&gt;&lt;div&nbsp;style&gt;{error,&nbsp;StatusCode,&nbsp;Req}&lt;br&gt;&lt;/div&gt;&lt;div&nbsp;style&gt;if&nbsp;I&nbsp;set&nbsp;the&nbsp;reply&nbsp;on&nbsp;the&nbsp;request&nbsp;via&nbsp;cowboy_req:reply&nbsp;before&nbsp;returning&nbsp;the&nbsp;{error..&nbsp;,&nbsp;the&nbsp;status&nbsp;code&nbsp;of&nbsp;that&nbsp;reply&nbsp;will&nbsp;be&nbsp;used.&lt;/div&gt;<br>
&lt;div&nbsp;style&gt;&lt;br&gt;&lt;/div&gt;&lt;div&nbsp;style&gt;Such&nbsp;as:&lt;/div&gt;&lt;div&nbsp;style&gt;&lt;div&gt;{ok,&nbsp;Req3}&nbsp;=&nbsp;cowboy_req:reply(403,&nbsp;[],&nbsp;&quot;Invalid&nbsp;CSRF&nbsp;Token.&quot;,&nbsp;Req2),&lt;span&nbsp;class=&quot;&quot;&nbsp;style=&quot;white-space:pre&quot;&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/span&gt;&lt;/div&gt;&lt;div&gt;{error,&nbsp;500,&nbsp;Req3};&nbsp;%&nbsp;500&nbsp;is&nbsp;ignored,&nbsp;403&nbsp;is&nbsp;returned&lt;/div&gt;<br>
&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;div&nbsp;style&gt;Is&nbsp;that&nbsp;by&nbsp;design?&lt;/div&gt;&lt;div&nbsp;style&gt;&lt;br&gt;&lt;/div&gt;&lt;div&nbsp;style&gt;Sincerely,&lt;/div&gt;&lt;div&nbsp;style&gt;&lt;br&gt;&lt;/div&gt;&lt;div&nbsp;style&gt;rambocoder&lt;/div&gt;&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div&nbsp;class=&quot;gmail_extra&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;div&nbsp;class=&quot;gmail_quote&quot;&gt;<br>
On&nbsp;Mon,&nbsp;Apr&nbsp;15,&nbsp;2013&nbsp;at&nbsp;4:47&nbsp;PM,&nbsp;Loïc&nbsp;Hoguin&nbsp;&lt;span&nbsp;dir=&quot;ltr&quot;&gt;&lt;&lt;a&nbsp;href=&quot;mailto:[email protected]&quot;&nbsp;target=&quot;_blank&quot;&gt;[email protected]&lt;/a&gt;&gt;&lt;/span&gt;&nbsp;wrote:&lt;br&gt;&lt;blockquote&nbsp;class=&quot;gmail_quote&quot;&nbsp;style=&quot;margin:0&nbsp;0&nbsp;0&nbsp;.8ex;border-left:1px&nbsp;#ccc&nbsp;solid;padding-left:1ex&quot;&gt;<br>
Why&nbsp;not&nbsp;just&nbsp;put&nbsp;the&nbsp;token&nbsp;in&nbsp;the&nbsp;URL&nbsp;instead?&nbsp;if&nbsp;it&#39;s&nbsp;CSRF&nbsp;then&nbsp;it&#39;s&nbsp;probably&nbsp;used&nbsp;only&nbsp;once&nbsp;and&nbsp;only&nbsp;for&nbsp;POST&nbsp;and&nbsp;the&nbsp;like,&nbsp;so&nbsp;not&nbsp;cached&nbsp;or&nbsp;anything.&lt;div&gt;&lt;div&nbsp;class=&quot;h5&quot;&gt;&lt;br&gt;<br>
&lt;br&gt;<br>
On&nbsp;04/15/2013&nbsp;10:45&nbsp;PM,&nbsp;rambocoder&nbsp;wrote:&lt;br&gt;<br>
&lt;/div&gt;&lt;/div&gt;&lt;blockquote&nbsp;class=&quot;gmail_quote&quot;&nbsp;style=&quot;margin:0&nbsp;0&nbsp;0&nbsp;.8ex;border-left:1px&nbsp;#ccc&nbsp;solid;padding-left:1ex&quot;&gt;&lt;div&gt;&lt;div&nbsp;class=&quot;h5&quot;&gt;<br>
Hello&nbsp;group,&lt;br&gt;<br>
&lt;br&gt;<br>
I&nbsp;am&nbsp;trying&nbsp;to&nbsp;put&nbsp;together&nbsp;a&nbsp;CSRF&nbsp;middleware&lt;br&gt;<br>
&lt;a&nbsp;href=&quot;https://github.com/rambocoder/stable/commit/b26980d292ac42aadfe9921a961436e28cdbb693&quot;&nbsp;target=&quot;_blank&quot;&gt;https://github.com/rambocoder/&lt;u&gt;&lt;/u&gt;stable/commit/&lt;u&gt;&lt;/u&gt;b26980d292ac42aadfe9921a961436&lt;u&gt;&lt;/u&gt;e28cdbb693&lt;/a&gt;&nbsp;and&lt;br&gt;<br>
<br>
if&nbsp;the&nbsp;body&nbsp;of&nbsp;the&nbsp;request&nbsp;contains&nbsp;&quot;_csrf&quot;&nbsp;token,&nbsp;I&nbsp;check&nbsp;to&nbsp;make&nbsp;sure&lt;br&gt;<br>
it&nbsp;matches&nbsp;the&nbsp;csrf&nbsp;token&nbsp;in&nbsp;the&nbsp;session.&lt;br&gt;<br>
&lt;br&gt;<br>
Currently&nbsp;I&nbsp;am&nbsp;doing&nbsp;it&nbsp;in&nbsp;middleware&nbsp;using&nbsp;cowboy_req:body_qs/1&nbsp;however&lt;br&gt;<br>
when&nbsp;in&nbsp;the&nbsp;handler&nbsp;I&nbsp;need&nbsp;to&nbsp;read&nbsp;another&nbsp;body&nbsp;parameter,&nbsp;such&nbsp;as&nbsp;in&lt;br&gt;<br>
the&nbsp;rest_pastebin&nbsp;example:&lt;br&gt;<br>
&lt;br&gt;<br>
{ok,&nbsp;BodyQs,&nbsp;Req3}&nbsp;=&nbsp;cowboy_req:body_qs(Req),&lt;br&gt;<br>
Paste&nbsp;=&nbsp;proplists:get_value(&lt;&lt;&quot;paste&quot;&gt;&lt;u&gt;&lt;/u&gt;&gt;,&nbsp;BodyQs),&lt;br&gt;<br>
&lt;br&gt;<br>
cowboy_req:body_qs/1&nbsp;returns&nbsp;[]&nbsp;due&nbsp;to&nbsp;the&nbsp;body&nbsp;of&nbsp;the&nbsp;request&nbsp;being&lt;br&gt;<br>
already&nbsp;read&nbsp;{body_state,done}&lt;br&gt;<br>
&lt;br&gt;<br>
Is&nbsp;it&nbsp;pointless&nbsp;to&nbsp;have&nbsp;the&nbsp;type&nbsp;of&nbsp;CSRF&nbsp;middleware&nbsp;that&nbsp;I&nbsp;am&nbsp;writing&lt;br&gt;<br>
and&nbsp;just&nbsp;do&nbsp;the&nbsp;CSRF&nbsp;in&nbsp;the&nbsp;handler&#39;s&nbsp;callback,&nbsp;where&nbsp;I&nbsp;can&nbsp;deal&nbsp;with&lt;br&gt;<br>
all&nbsp;the&nbsp;body_qs&nbsp;at&nbsp;once?&lt;br&gt;<br>
&lt;br&gt;<br>
Thank&nbsp;you,&lt;br&gt;<br>
&lt;br&gt;<br>
rambocoder&lt;br&gt;<br>
&lt;br&gt;<br>
&lt;br&gt;&lt;/div&gt;&lt;/div&gt;<br>
______________________________&lt;u&gt;&lt;/u&gt;_________________&lt;br&gt;<br>
Extend&nbsp;mailing&nbsp;list&lt;br&gt;<br>
&lt;a&nbsp;href=&quot;mailto:[email protected]&quot;&nbsp;target=&quot;_blank&quot;&gt;[email protected]&lt;/a&gt;&lt;br&gt;<br>
&lt;a&nbsp;href=&quot;http://lists.ninenines.eu:81/listinfo/extend&quot;&nbsp;target=&quot;_blank&quot;&gt;http://lists.ninenines.eu:81/&lt;u&gt;&lt;/u&gt;listinfo/extend&lt;/a&gt;&lt;br&gt;<br>
&lt;br&gt;&lt;span&nbsp;class=&quot;HOEnZb&quot;&gt;&lt;font&nbsp;color=&quot;#888888&quot;&gt;<br>
&lt;/font&gt;&lt;/span&gt;&lt;/blockquote&gt;&lt;span&nbsp;class=&quot;HOEnZb&quot;&gt;&lt;font&nbsp;color=&quot;#888888&quot;&gt;<br>
&lt;br&gt;<br>
&lt;br&gt;<br>
--&nbsp;&lt;br&gt;<br>
Loďc&nbsp;Hoguin&lt;br&gt;<br>
Erlang&nbsp;Cowboy&lt;br&gt;<br>
Nine&nbsp;Nines&lt;br&gt;<br>
&lt;a&nbsp;href=&quot;http://ninenines.eu&quot;&nbsp;target=&quot;_blank&quot;&gt;http://ninenines.eu&lt;/a&gt;&lt;br&gt;<br>
&lt;br&gt;<br>
&lt;/font&gt;&lt;/span&gt;&lt;/blockquote&gt;&lt;/div&gt;&lt;br&gt;&lt;/div&gt;<br>

</tt>