[B! Security][rails] clavierã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

clavier id:clavier

Securityã¨railsã«é–¢ã™ã‚‹clavierã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (15)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

Brakemanã®ã‚ªãƒ—ã‚·ãƒ§ãƒ³(å’Œè¨³) - Qiita
Deleted articles cannot be recovered. Draft of this article would be also deleted. Are you sure you want to delete this article?
clavier 2018/05/22
Rails

Security
ãƒªãƒ³ã‚¯
ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã«è¦‹ã‚‹ Web ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£å¯¾ç– - Qiita
Deleted articles cannot be recovered. Draft of this article would be also deleted. Are you sure you want to delete this article? ã‚»ã‚ãƒ¥ã‚ãƒ£ãƒ³ 2015 é«˜ãƒ¬ã‚¤ãƒ¤ãƒ¼ãƒˆãƒ©ãƒƒã‚¯(Jxck) æœ¬è³‡æ–™ã¯ã€ã‚»ã‚ãƒ¥ã‚ãƒ£ãƒ³ 2015 é«˜ãƒ¬ã‚¤ãƒ¤ãƒ¼ãƒˆãƒ©ãƒƒã‚¯ã®è¬›ç¾©è³‡æ–™ã§ã™ã€‚ ã‚»ã‚ãƒ¥ã‚ãƒ£ãƒ³å‚åŠ è€…ã§ã‚ã‚‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®åµã‚’å¯¾è±¡ã«ã€ Web ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã®çŸ¥è¦‹ãŒã€å®Ÿéš›ã©ã®ã‚ˆã†ã« Web ã‚¢ãƒ—ãƒªé–‹ç™ºã«åæ˜ ã•ã‚Œã¦ã„ã‚‹ã‹ã€ã‚‚ã—ãã¯ã©ã†åæ˜ ã™ã¹ãã‹ã‚’ã€ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã®è¦–ç‚¹ã‹ã‚‰è§£èª¬ã™ã‚‹ã“ã¨ã‚’ç›®çš„ã¨ã—ã¦ã„ã¾ã™ã€‚ å°†æ¥ã€ Web ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã«èˆˆå‘³ã‚’æŒã£ãŸã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãŒã€ãã®çŸ¥è¦‹ã‚’å¤šãã®é–‹ç™ºè€…ã«å•“è’™ã™ã‚‹æ‰‹æ®µã¨ã—ã¦ã€ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã«åæ˜ ã™ã‚‹ã¨ã„ã†ã®ã¯éžå¸¸ã«æœ‰åŠ¹ãªæ–¹æ³•ã§ã™ã€‚ ã“ã“ã§ã¯ãã®å®Ÿä¾‹ã¨ã—ã¦
clavier 2015/08/14
security

rails

framework

development

ã‚ã¨ã§èªã‚€
ãƒªãƒ³ã‚¯
Railsã®Deviseã§æœ€ä½Žé™ä»˜ä¸Žã—ãŸã„ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£è¨å®š - Qiita
Railsã§ä¼šå“¡æ©Ÿèƒ½ã‚’å®Ÿè£…ã™ã‚‹ã®ã«ã‚ˆãä½¿ã†gemã®Deviseã§ã™ãŒã€ å€‹äººçš„ã«ã‚µãƒ¼ãƒ“ã‚¹ä½œã‚‹ãªã‚‰æœ€ä½Žé™ã“ã‚Œãã‚‰ã„ã®è¨å®šã¯ã—ã¦ãŠã„ã¦æ¬²ã—ã„ãªãã¨æ€ã†ã€‚ ç°¡å˜ã«è¨å®šã§ãã¦æ‰‹è»½ã«ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ¬ãƒ™ãƒ«ä¸Šã’ã‚Œã‚‹ã®ã§ã€ å¯ç”¨æ€§ãŒä¸‹ãŒã‚‰ãªã„ç¯„å›²ã§èª¿æ•´ã—ã¦å°Žå…¥ã—ã¦æ¬²ã—ã„ã§ã™ã€‚ ##ãƒãƒƒã‚¯æ¡ä»¶ã®æœ‰åŠ¹åŒ–ï¼ˆæ™‚é–“ã§ã®ã¿è§£é™¤ã®å ´åˆï¼‰ deviseã®ãƒžã‚¤ã‚°ãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ•ã‚¡ã‚¤ãƒ«ã®ã‚³ãƒ¡ãƒ³ãƒˆéƒ¨åˆ†ã‚’èª¿æ•´ã—ã¾ã™ã€‚ ã‚³ãƒ¡ãƒ³ãƒˆã«ä½¿ç”¨æ–¹æ³•ãªã©ã‚‚æ›¸ã„ã¦ã„ã‚‹ã®ã§ã€ è¦ä»¶ã«åˆã‚ã›ã¦ä½¿ã„åˆ†ã‘ã‚‹ã®ãŒè‰¯ã„ã§ã—ã‚‡ã†ã€‚ ä»Šå›žã¯æ™‚é–“ã§ã®ã¿è§£é™¤ã™ã‚‹ã®ã§ä¸‹è¨˜ã®ã‚ˆã†ã«ã—ã¦ãŠãã¾ã™ã€‚ â€»ãƒ¡ãƒ¼ãƒ«ã§è§£é™¤ç”¨ã®ãƒˆãƒ¼ã‚¯ãƒ³é€ã£ãŸã‚Šã™ã‚‹å ´åˆãƒˆãƒ¼ã‚¯ãƒ³éƒ¨åˆ†ã‚‚ã„ã‚Šã¾ã™ã€‚
clavier 2015/05/15
rails

ruby

security
ãƒªãƒ³ã‚¯
Rails ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚¬ã‚¤ãƒ‰ | Rails ã‚¬ã‚¤ãƒ‰
æœ¬ã‚¬ã‚¤ãƒ‰ã§ã¯ã€Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³å…¨èˆ¬ã«ãŠã‘ã‚‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã®å•é¡Œã¨ã€Railsã§ãã‚Œã‚‰ã®å•é¡Œã‚’å›žé¿ã™ã‚‹æ–¹æ³•ã«ã¤ã„ã¦èª¬æ˜Žã—ã¾ã™ã€‚ ã“ã®ã‚¬ã‚¤ãƒ‰ã®å†…å®¹: Railsçµ„ã¿è¾¼ã¿ã®èªè¨¼æ©Ÿèƒ½ã‚¸ã‚§ãƒãƒ¬ãƒ¼ã‚¿ã®åˆ©ç”¨æ³• æœ¬ã‚¬ã‚¤ãƒ‰ã§å–ã‚Šä¸Šã’ã‚‰ã‚Œã¦ã„ã‚‹å•é¡Œã«å¯¾ã™ã‚‹ã‚ã‚‰ã‚†ã‚‹å¯¾ç– Railsã«ãŠã‘ã‚‹ã‚»ãƒƒã‚·ãƒ§ãƒ³ã®æ¦‚å¿µã€ã‚»ãƒƒã‚·ãƒ§ãƒ³ã«å«ã‚ã‚‹ã¹ãé …ç›®ã€æœ‰åãªã‚»ãƒƒã‚·ãƒ§ãƒ³æ”»æ’ƒ Webã‚µã‚¤ãƒˆã‚’é–‹ãã ã‘ã§ï¼ˆCSRFã«ã‚ˆã‚‹ï¼‰ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£å•é¡ŒãŒç™ºç”Ÿã™ã‚‹ã—ãã¿ ãƒ•ã‚¡ã‚¤ãƒ«ã®å–æ‰±ã„ä¸Šã®æ³¨æ„ã€ç®¡ç†ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹ã‚’æä¾›ã™ã‚‹éš›ã®æ³¨æ„äº‹é … ãƒ¦ãƒ¼ã‚¶ãƒ¼ã‚’æ£ã—ãç®¡ç†ã™ã‚‹ï¼ˆãƒã‚°ã‚¤ãƒ³ãƒ»ãƒã‚°ã‚¢ã‚¦ãƒˆã®ã—ãã¿ã€ã‚ã‚‰ã‚†ã‚‹ãƒ¬ã‚¤ãƒ¤ã«ãŠã‘ã‚‹æ”»æ’ƒæ–¹æ³•ï¼‰ æœ€ã‚‚æœ‰åãªã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³æ”»æ’ƒæ–¹æ³•ã®è§£èª¬ 1 ã¯ã˜ã‚ã« Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã¯ã€Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®é–‹ç™ºã‚’æ”¯æ´ã™ã‚‹ãŸã‚ã«ä½œã‚‰ã‚Œã¾ã—ãŸã€‚ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã®ä¸ã«ã¯ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚’æ¯”è¼ƒçš„é«˜ã‚ã‚„ã™ã„ã‚‚ã®ã‚‚ã‚ã‚Šã¾ã™ã€‚å®Ÿ
clavier 2015/04/04
rails

security
ãƒªãƒ³ã‚¯
Rails SQL Injection Examples
Overview The Ruby on Rails web framework provides a library called ActiveRecord which provides an abstraction for accessing databases. This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input. Careless use of these methods can open up code to SQL Injection exploits. The examples here do not inclu
clavier 2014/09/10
activerecord

Rails

Security

SQL
ãƒªãƒ³ã‚¯
Railsã®CSRFå¯¾ç–ã®ä»•çµ„ã¿ã«ã¤ã„ã¦ - ï¼ˆ2015å¹´ã¾ã§ã®ï¼‰odaillyjp blog
å…ˆæ—¥ã€Rails ã§é–‹ç™ºã—ã¦ã„ã‚‹ã¨ãã«æ„å›³ã—ãªã„ InvalidAuthenticityToken ã‚¨ãƒ©ãƒ¼ãŒç™ºç”Ÿã—ã¦ã€ã™ã”ããƒãƒžã£ã¦ã—ã¾ã„ã¾ã—ãŸã€‚ãã®ã¨ãã« Rails ã®CSRFå¯¾ç–ã®ä»•çµ„ã¿ã«ã¤ã„ã¦èª¿ã¹ã¦ã¿ã¾ã—ãŸã®ã§ã€ãƒ–ãƒã‚°ã«æ®‹ã—ã¦ãŠãã¾ã™ã€‚ Rails ã®CSRFå¯¾ç– Rails ãŒç”Ÿæˆã—ãŸ ApplicationController ã«ã¯ä»¥ä¸‹ã®è¨˜è¿°ãŒã‚ã‚Šã¾ã™ã€‚ class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs, you may want to use :null_session instead. protect_from_forgery with: :exception end protect_from_forg
clavier 2014/09/06
CSRF

security

rails

ruby
ãƒªãƒ³ã‚¯
http://railssecurity.com/
clavier 2014/09/02
rails

security
ãƒªãƒ³ã‚¯
Rails SQL Injection Examplesã®ç´¹ä»‹
6. è„†å¼±æ€§ã®ã‚ã‚‹ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ Copyright Â© 2010-2014 HASH Consulting Corp. 6 @books = Book.where( "publish = '#{params[:publish]}' AND price >= #{params[:price]}") å±±ç”° ç¥¥å¯› (è‘—) Ruby on Rails 4 ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚° æŠ€è¡“è©•è«–ç¤¾ (2014/4/11) ã«è„†å¼±æ€§ã‚’åŠ ãˆã¾ã—ãŸw â€»å…ƒæœ¬ã«è„†å¼±æ€§ãŒã‚ã‚‹ã‚ã‘ã§ã¯ã‚ã‚Šã¾ã›ã‚“ 7. UNION SELECTã«ã‚ˆã‚Šå€‹äººæƒ…å ±ã‚’çªƒå– Copyright Â© 2010-2014 HASH Consulting Corp. 7 priceã«ä»¥ä¸‹ã‚’å…¥ã‚Œã‚‹ 1) UNION SELECT id,userid,passwd,null,mail,null,false,created_at,updated
clavier 2014/06/12
rails

security

SQL
ãƒªãƒ³ã‚¯
ActiveRecordã®SQLã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ãƒ‘ã‚¿ãƒ¼ãƒ³
(Last Updated On: 2018å¹´10æœˆ7æ—¥)Railsã§å¤šç”¨ã•ã‚Œã¦ã„ã‚‹ActiveRecordã®ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ãƒ‘ã‚¿ãƒ¼ãƒ³ã‚’ç°¡å˜ã«ç´¹ä»‹ã—ã¾ã™ã€‚å‡ºå…¸ã¯rails-sqli.orgãªã®ã§ã‚ˆã‚Šè©³ã—ã„è§£èª¬ã¯ã“ã¡ã‚‰ã§ç¢ºèªã—ã¦ãã ã•ã„ã€‚ç‰¹ã«æ°—ã‚’ã¤ã‘ã‚‹å¿…è¦ãŒã‚ã‚‹ã¨æ€ã‚ã‚Œã‚‹ç‰©ã®ã¿ã‚’ãƒ”ãƒƒã‚¯ã‚¢ãƒƒãƒ—ã—ã¾ã—ãŸã€‚ Exists?ãƒ¡ã‚½ãƒƒãƒ‰ User.exists? params[:user] params[:user]ãªã©ã®ä½¿ã„æ–¹ã¯å±é™ºã§ã™ã€‚Railsã¯PHPãªã©ã¨åŒæ§˜ã«user[]ã¨ã„ã†ãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ãƒ¼ã§é…åˆ—åŒ–ã—ã¾ã™ã€‚ ?user[]=1 ãŒå…¥åŠ›ã®å ´åˆã€ SELECT 1 AS one FROM "users" WHERE (1) LIMIT 1 ã¨ãªã‚Šä¸æ£ãªã‚¯ã‚¨ãƒªãŒå®Ÿè¡Œã•ã‚Œã¾ã™ã€‚ Calculateãƒ¡ã‚½ãƒƒãƒ‰ Calculateãƒ¡ã‚½ãƒƒãƒ‰ã¯SQLã®é›†ç´„é–¢æ•°ã‚’å®Ÿè¡Œã™ã‚‹ãƒ¡ã‚½ãƒƒãƒ‰ã§ã™ã€‚averageã€calcula
clavier 2014/05/09
activerecord

rails

security
ãƒªãƒ³ã‚¯
Rails Sessionã«CookieStoreä½¿ã£ãŸæ™‚ã®å•é¡Œç‚¹ - OAuth.jp
ä»Šæ—¥ @mad_p ã•ã‚“ã‹ã‚‰RTæ¥ã¦ãŸã“ã®ãƒ„ã‚¤ãƒ¼ãƒˆã«é–¢ã—ã¦ã€ã¡ã‚‡ã£ã¨èª¿ã¹ãŸã®ã§ã¾ã¨ã‚ã¨ãã¾ã™ã€‚ Security Issue in Ruby on Rails Could Expose Cookies http://t.co/JlsXVEn4rZ â€” Ruby on Rails News (@RubyonRailsNews) September 25, 2013 å‰ææ¡ä»¶ Railsã§ã¯ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§sessionã‚’cookieã«ã®ã¿ä¿å˜ã—ã¦ã€DBãªã‚Šmemcacheãªã‚Šã®server-side storageã«ã¯ä½•ã‚‚ä¿å˜ã—ã¾ã›ã‚“ã€‚ ã“ã‚ŒãŒCookieStoreã¨ã‹å‘¼ã°ã‚Œã¦ã‚‹ã‚„ã¤ã§ã™ã€‚ ã“ã®å ´åˆã®session cookieã¯ã€Railsã®session object (Hash object) ã‚’Marshal.dumpã—ã¦ãã‚Œã«ç½²åã‚’ä»˜ã‘ãŸtokenã§ã™ã€‚ rails 4ã§ã¯ç½²åä»˜ã‘ã‚‹ä»£
clavier 2013/11/28
session

security

rails

cookie
ãƒªãƒ³ã‚¯
ã‚»ã‚ãƒ¥ã‚¢ãªRuby on Railsç’°å¢ƒã‚’å®Ÿç¾ã™ã‚‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒã‚§ãƒƒã‚«ãƒ¼Â·Hakiri MOONGIFT
Hakiriã¯Rubyè£½ã€MIT Licenseã®ã‚ªãƒ¼ãƒ—ãƒ³ã‚½ãƒ¼ã‚¹ãƒ»ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã§ã™ã€‚ Webã‚µãƒ¼ãƒã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã¯ä¸‡å…¨ã§ã—ã‚‡ã†ã‹ã€‚ã§ãã‚‹ã ã‘ã®ã“ã¨ã¯ã—ã¤ã¤ã‚‚ã€ãã‚Œã§ã‚‚ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚¢ãƒƒãƒ—ãŒé©åˆ‡ã«è¡Œã‚ã‚Œã¦ã„ãªã„å ´åˆã‚‚ã‚ã‚Šã¾ã™ã€‚ç‰¹ã«å¤–éƒ¨ã«å…¬é–‹ã•ã‚Œã‚‹Webã‚µãƒ¼ãƒã‚„ã€ãã“ã‹ã‚‰æŽ¥ç¶šã•ã‚Œã‚‹ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã‚µãƒ¼ãƒã«ã¤ã„ã¦ã¯é‡ç‚¹çš„ã«ãƒã‚§ãƒƒã‚¯ãŒå¿…è¦ã§ã™ã€‚ãã“ã§ä½¿ã£ã¦ã¿ãŸã„ã®ãŒHakiriã§ã™ã€‚ æœ€åˆã«ãƒžãƒ‹ãƒ•ã‚§ã‚¹ãƒˆã‚’ä½œæˆã—ã¾ã™ã€‚å¿…è¦ãªç®‡æ‰€ã‚’ä¿®æ£ã—ã¾ã™ã€‚ å¾Œã¯system:scanã§è‡ªå‹•çš„ã«ã‚·ã‚¹ãƒ†ãƒ ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãƒã‚§ãƒƒã‚¯ãŒå®Ÿè¡Œã•ã‚Œã¾ã™ã€‚ãƒãƒ¼ã‚«ãƒ«ã¨ã„ã†ã“ã¨ã‚‚ã‚ã£ã¦ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚¢ãƒƒãƒ—ã‚’æ”¾ç½®ã—éŽãŽã¦ã„ã¾ã™ãâ€¦ã€‚ ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£æƒ…å ±ã‚’ãƒªã‚¹ãƒˆã‚¢ãƒƒãƒ—ã§ãã¾ã™ã€‚ãŠã¨ãªã—ããƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚¢ãƒƒãƒ—ã™ã‚‹ã®ãŒè‰¯ã„ã§ã™ã€‚ Hakiriã¯Webã‚µãƒ¼ãƒ“ã‚¹ã¨ã—ã¦å…¬é–‹ã•ã‚Œã¦ã„ã‚‹Hakiri Platformã®CUIã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã¨ã„ã†ä½ç½®ã¥ã‘ã§ã™ã€‚ä¸»ã«Ruby/R
clavier 2013/07/16
rails

ruby

security
ãƒªãƒ³ã‚¯
Blog
What We Know Our key takeaways from partnering with enterprise-level engineering teams. Details How We Ensure Success Our unique and personalized approach to help you achieve your business goals. Details
clavier 2013/03/28
developer

security

ruby

rails
ãƒªãƒ³ã‚¯
Cookieã«ãƒã‚°ã‚¤ãƒ³IDã‚’ä¿å˜ã—ã¦ã¯ã„ã‘ãªã„
phpproã®Q&AæŽ²ç¤ºæ¿ã§ä¸‹è¨˜ã®è³ªå•ã‚’èªã¿ã¾ã—ãŸã€‚ ãƒã‚°ã‚¤ãƒ³ã®éš›ã«ã€ã‚¯ãƒƒã‚ãƒ¼ã«ãƒã‚°ã‚¤ãƒ³æƒ…å ±ã‚’ä¿å˜ã—ã€ãƒã‚°ã‚¢ã‚¦ãƒˆã®éš›ã«ã¯ã€ãƒ•ã‚©ãƒ¼ãƒ ã‚¿ã‚°ã®ä¸ã§POSTã§ãƒã‚°ã‚¢ã‚¦ãƒˆã®ç‚ºã®å€¤ã‚’é£›ã°ã—ã€å€¤ã‚’å—ã‘å–ã£ãŸã‚‰ã‚¯ãƒƒã‚ãƒ¼ã®æœ‰åŠ¹æœŸé™ã‚’ãƒžã‚¤ãƒŠã‚¹ã«ã—ã¦ã‚¯ãƒƒã‚ãƒ¼æƒ…å ±ã‚’æ¶ˆã™ã¨ã„ã†ãƒã‚°ã‚¢ã‚¦ãƒˆå‡¦ç†ã‚’ä½œã£ã¦ã„ã¾ã™ã€‚ åŒä¸€ãƒšãƒ¼ã‚¸ã§ã®Cookieã§ã®ãƒã‚°ã‚¢ã‚¦ãƒˆå‡¦ç†ã‚ˆã‚Šå¼•ç”¨ ã‚¯ãƒƒã‚ãƒ¼ã«ãã®ã¾ã¾ãƒã‚°ã‚¤ãƒ³æƒ…å ±ã‚’ä¿æŒã™ã‚‹ã®ã¯ã‚ˆãã‚ã‚Šã¾ã›ã‚“ãã€‚è³ªå•ã‚’æ›´ã«èªã‚€ã¨ã€ä»¥ä¸‹ã®ã‚½ãƒ¼ã‚¹ãŒã‚ã‚Šã¾ã™ã€‚ setcookie("logid",$row["f_customer_logid"],time()+60*60*24); setcookie("point",$row["f_customer_point"],time()+60*60*24);ã©ã†ã‚‚ã€SQLå‘¼ã³å‡ºã—ã®çµæžœã‹ã‚‰ãƒã‚°ã‚¤ãƒ³IDã‚’å–ã‚Šå‡ºã—ã€ãã‚Œã‚’ãã®ã¾ã¾Cookieã«ã‚»ãƒƒãƒˆã™ã‚‹ã“ã¨ã§ã€ãƒã‚°ã‚¤ãƒ³çŠ¶æ…‹
clavier 2013/02/07
security

Rails

cookie
ãƒªãƒ³ã‚¯
uu59ã®ãƒ¡ãƒ¢ | Rails4ã§ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§å…¥ã‚‹turbolinksãŒã‚ªãƒ¼ãƒ—ãƒ³ãƒªãƒ€ã‚¤ãƒ¬ã‚¯ã‚¿ã¨åˆã‚ã•ã‚‹ã¨ä½•ã§ã‚‚ã§ãã¦ã‹ãªã‚Šå±é™º
Rails 4.0ã§å…¥ã‚‹turbolinksã§ã™ãŒã€ã“ã‚ŒãŒæœ‰åŠ¹ã ã¨ç„¡åŠ¹ã®ç’°å¢ƒã¨æ¯”ã¹ã¦ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒªã‚¹ã‚¯ãŒå¾®å¢—ã™ã‚‹ã¨ã„ã†è©±ã§ã™ã€‚å…·ä½“çš„ã«ã¯Railsã‚µãƒ¼ãƒ“ã‚¹å†…ï¼ˆåŒä¸€ãƒ›ã‚¹ãƒˆå†…ï¼‰ã«ã‚ªãƒ¼ãƒ—ãƒ³ãƒªãƒ€ã‚¤ãƒ¬ã‚¯ã‚¿ãŒã‚ã‚Šã€CGMã‚µã‚¤ãƒˆã§ã‚ã‚‹ã¨ã‹ãƒ¦ãƒ¼ã‚¶ãƒ¼ãŒä»»æ„ã®ãƒªãƒ³ã‚¯ã‚’å¼µã‚Œã‚‹å ´åˆã«ã€æ‚ªæ„ã‚ã‚‹ã‚¹ã‚¯ãƒªãƒ—ãƒˆãŒãã®ã‚µãƒ¼ãƒ“ã‚¹ã®ãƒ›ã‚¹ãƒˆä¸‹ã§å®Ÿè¡Œã•ã‚Œã¦ã—ã¾ã†ã€‚ã¨ã„ã†ã®ã‚’malaã•ã‚“ã«æŒ‡æ‘˜ã•ã‚Œã¾ã—ãŸã€‚ Railsã§ã‚ã‚Œã°åŸºæœ¬çš„ã«redirect_to :action => "show", :id => @model.idã¿ãŸã„ãªæ„Ÿã˜ã§æ›¸ã„ã¦ãƒªãƒ€ã‚¤ãƒ¬ã‚¯ãƒˆã—ã¦ã‚‹ã ã‚ã†ã‘ã©ã€redirect_to params[:hoge]ã¿ãŸã„ã«æ›¸ã„ã¦ã‚‹å ´åˆã¯?hoge=http://evil.example.comã¨ã‹ã§evilãªãƒšãƒ¼ã‚¸ã«é£›ã¶ã—ã€turbolinksã¨é–¢ä¿‚ãªãã‚ˆã‚ã—ããªã„ã®ã§æš‡ã‚’è¦‹ã¦ç›´ã—ã¾ã—ã‚‡ã†ã€‚ è©±ã‚’æˆ»ã—ã¦turbolinksã
clavier 2012/11/24
javascript

security

rails

xhr
ãƒªãƒ³ã‚¯
rails3ä»¥é™ã®WEBã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã«ã‚ã‚ŠãŒã¡ãªXSS - hanagemanã®æ—¥è¨˜ã§ã¯ãªã„
æ˜Žç¤ºã—ãªãã¦ã‚‚viewã§ã®å‡ºåŠ›ã‚’HTMLã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã—ã¦ãã‚Œã‚‹ã®ã§ç„¡è¦æˆ’ã«ãªã£ã¦ã‚‹ html_escapeãŒã‚·ãƒ³ã‚°ãƒ«ã‚¯ã‚©ãƒ¼ãƒˆã‚’ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã—ãªã„ã¨ã„ã†èªè˜ãŒãªã„ viewã§javascriptã‚’æ›¸ãã¨ãã«åŸ‹ã‚è¾¼ã‚€å€¤ã‚’escape_javascriptã—ã¦ãªã„ ã“ã®ã‚ãŸã‚Šã®è¦ç´ ãŒçµ„ã¿åˆã‚ã•ã‚‹ã¨XSSãŒã†ã¾ã‚Œã‚„ã™ã„ã¨ã„ã†è©±ã‚’æ›¸ãã¾ã™ã€‚ã‚ã‹ã£ã¦ã‚‹äººã«ã¨ã£ã¦ã¯ã‚¯ã‚½ã¿ãŸã„ãªå†…å®¹ãªã®ã§èªã‚€æ™‚é–“ãŒã‚‚ã£ãŸã„ãªã„ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚ãŸã¨ãˆã°js.erbã§ã“ã‚“ãªãµã†ã«æ›¸ã„ã¦ãŸã¨ã—ã¦ var article_id = '<%= @article_id %>'; @article_idãŒä¿¡ç”¨ã§ãã‚‹å€¤ã ã¨ã„ã†å‰æã ã¨å•é¡Œãªã„ã®ã§ã™ãŒã€controllerã§ @article_id = params[:article][:id] å®Ÿã¯ã“ã‚“ãªã“ã¨ã—ã¦ã‚‹ã ã‘ã§ã‚ã¨ã¯ç´ é€šã—ã£ã¦ã„ã†äººã‚‚ã€ã‚‚ã—ã‹ã—ãŸã‚‰ã„ã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚è¦ã¯å¤–ã‹ã‚‰æ¸¡
clavier 2012/03/22
rails

Security

javascript
ãƒªãƒ³ã‚¯
1