Plugins - Signed params - Agile Web Development

Plugins - Signed params

SignedParams

Implements simple signing of query strings. When a set of parameters is generated with signed_url_for a special key, :sig (signature) gets appended to the the hash. The signature contains the digest of all keys and values of the passed hash. When this URL gets called, the controller can use SignedParams to verify if the request parameters have been deliberately changed.

What for

This is useful in situations where you might want to perform operations via URLs which should not, under any circumstances, be user-generated (such as making thumbnails on request - the original need for this arose from that)

What if

Well you gotta have inspiration. http://aaugh.com/imageabuse.html

How to

First define a salt in your environment

  SignedParams.salt = "This is something NOBODY must know"

To build a signed URL, call

  signed_url_for :id => "bla"

To make the controller check the signature in params on specific actions

  class FeedsController < ApplicationController
    require_signed_parameters  :only => [:get_private_feed]
  end

Questions? me@julik.nl

Owner: Julik

Repository: http://julik.textdriven.com/svn/tools/rails_plugins/signed_params/

License:

Rating:4 votes

Currently 5.0/5 Stars.
1
2
3
4
5

Category: Security

Comments

Add a comment

Grateful 13 Sep 2007

Hello Julik:

Thank you for sharing this plugin.

Do you think one can use this to protect all GET URLs from being hacked? This may potentially save tons of validation code , database lookups, etc in various GET actions.

Is it likely that it may it too much CPU to do this? Even so, the gains from hitting DB less may compensate for it?

Thanks.

Agile Web Development

Build it. Launch it. Love it.