Home/ Questions/Q 8989651
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T22:18:49+00:00

In my Rails 2 application, I found a security bug in routing. I am

  • 0

In my Rails 2 application, I found a security bug in routing. I am using Rails 2.3.8. Here is my implementation: 

# routes.rb
map.connect 'sampleview', :controller => 'sample', :action => 'view'

For some condition, the URL in my comes like http://example.com/sampleview?view_url=http://test.com?s=2&code=15

In this case I have gone to test.com (this test.com is another domain which I have shown in my app) and the pages are placed in iframe tag.

The problem is suppose if I frame url:

http://example.com/sampleview?view_url=http://www.google.com

The Google landing page was placed in the iframe tag with in my application. This is not good.

If URL http://example.com/sampleview?view_url=http://www.google.com contains other than that test.com. I have to raise the message to user. This is not valid URL here.

How can modify my routes.rb to support this or any other solution. Please help.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m not sure you can do this in Rails 3.2 as the constraint option on route does not exists. I would suggest you to implement this in the controller, eventually with a before_filter. You can place it in the ApplicationController if you have to share it between different controllers.

    UPDATE: add example

    class ApplicationController
  before_filter :check_view_url

  private

  def check_view_url
    if params[:view_url] && params[:view_url] !~ %r{^http://test.com}
      raise "Trying to access invalid website"
    end
  end

end
    • 0