[Catalyst] preventing Cross Site Request Forgery
Jonathan Rockway
jon at jrock.us
Wed Jun 20 03:48:53 GMT 2007
On Tuesday 19 June 2007 09:47:50 am Matt S Trout wrote:
> On Tue, Jun 19, 2007 at 07:11:10AM -0700, Bill Moseley wrote:
> > On Tue, Jun 19, 2007 at 04:10:25AM -0500, Jonathan Rockway wrote:
> > > http://www.25hoursaday.com/weblog/2007/06/05/WhatRubyOnRailsCanLearnFro
> > >mASPNET.aspx
> > >
> > > and realized that Catalyst is just as "vulnerable" as Rails. So, I
> > > wrote Catalyst::Plugin::FormCanary to solve the problem. If you care
> > > about CSRF, get it from CPAN, load it into your app, and stop worrying
> > > :)
> >
> > Is this much different than Catalyst::Plugin::RequestToken?
>
> Yeah, it comes with an instrusive HTML munger, a complete disregard for
> AJAX-induced security holes, a free false sense of security and a silly
> name.
>
> Now how could that possibly not be both different -and- better? :)
Patches welcome.
--
package JAPH;use Catalyst qw/-Debug/;($;=JAPH)->config(name => do {
$,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //,
";$;"]->[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;->setup;
More information about the Catalyst
mailing list