Ruby on Rails is known for its security, but there's a recently discovered Rails security issue that needs to be addressed. It's called Execution After Redirect(EAR), and it's something that every Rails developer should know about. Adam Doupé has done excellent research regarding this security flaw, and he's the one that brought this to my attention. Let me tell you about it.

When an action calls redirect_to, it does just that. It sends the current request to another action. This is often used to kick visitors out of restricted areas, display welcome pages, and so on. The problem with this is that if any code is present after the redirect, it still gets executed. Here's an example from Adam's blog on how this can be abused:

class TopicsController < ApplicationController
  def update
    @topic = Topic.find(params[:id])
    unless current_user.is_admin?
      redirect_to "/"
    end
    if @topic.update_attributes(params[:topic])
      flash[:notice] = "Topic updated!"
    end
  end
end

Even though the current user is redirected away from this action, the code after the redirect is still executed. The record is still successfully updated with the information passed in through the request(via params). Ouch.

However, you can fix this by prepending a return to the redirect_to. This will halt the continued execution of code after the redirect_to. Whew.

Rails Developers: Should a patch for this be implemented in the Rails core? Also, are there any cases where you would legitimately need to execute code after a redirect? If so, how about an argument to redirect_to that would allow for continued execution:

redirect_to "/", :continue => true 

Adam Doupé has also written a tool to test your rails applications for this security issue. You can also read more about this issue over at his blog.

 


1 Comments

Max

Aug 15 2011 at 03:38 PM

I know this post is kind of old, but you can do this:

redirect_to '/' and return unless current_user.is_admin?

I think this looks very nice and does exactly what you want.


Add A Comment





Completely Private, used for Gravatar



example: https://www.whatever.com