Project

General

Custom queries



Profile

Actions

Patch #16685

closed

Introduce the request_store gem to hold User.current and prevent data leakage in error messages

Added by Holger Just almost 11 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:

Description

Recently, there were several issues where the User.current was not properly initialized and thus the setting from the request before it was used, e.g. #16511 with r13041 which can lead to data disclosure. This issue and all similar ones can be fully circumvented by ensuring that the current user is reset before the request even reaches our rails code.

This patch which was extracted from Planio proposes the introduction of the request_store gem. It adds a middleware to provide a true request-local data store based on Thread.current. This ensures that the current user always needs to be set explicitly and can't be taken from previous requests, even if the logic to setup the user somehow fails or is circumvented due to early error handlers. The fail-safe default is always User.anonymous which should be sufficient even in the face of an auth error.

This patch is against the current master branch on Github.


Files


Related issues

Related to Redmine - Feature #31911: Update request_store gem to 1.4ClosedJean-Philippe Lang

Actions
#1

Updated by Toshi MARUYAMA almost 11 years ago

  • Target version set to 2.4.6
#2

Updated by Toshi MARUYAMA almost 11 years ago

  • Description updated (diff)
#10

Updated by Toshi MARUYAMA almost 11 years ago

  • Target version changed from 2.4.6 to 2.6.0
  • % Done changed from 0 to 100
#15

Updated by Jean-Philippe Lang over 10 years ago

  • Status changed from New to Closed
#16

Updated by Go MAEDA over 5 years ago

Actions

Also available in: Atom PDF