[Catalyst] preventing Cross Site Request Forgery
Jonathan Rockway
jon at jrock.us
Tue Jun 19 10:10:25 GMT 2007
Hello cata-listers,
I was reading an article about CSRF last night:
http://www.25hoursaday.com/weblog/2007/06/05/WhatRubyOnRailsCanLearnFromASPNET.aspx
and realized that Catalyst is just as "vulnerable" as Rails. So, I wrote
Catalyst::Plugin::FormCanary to solve the problem. If you care about CSRF,
get it from CPAN, load it into your app, and stop worrying :)
It's sort of unpolished right now (see the TODO section) but it does work,
(even with FormBuilder), and it fails in a secure state instead of an
insecure state. It has good test coverage, so if you feel like fixing
something in the TODO list write a test, fix it, and send me a patch.
Enjoy!
Regards,
Jonathan Rockway
--
package JAPH;use Catalyst qw/-Debug/;($;=JAPH)->config(name => do {
$,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //,
";$;"]->[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;->setup;
More information about the Catalyst
mailing list