team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:OWASP/railsgoat

Browse Source
This commit is contained in:
cktricky
2013-11-14 15:05:14 -05:00
parent 53dcc75f74 0075ca7a9c
commit 810c086130
5 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Gemfile
+1 -1
View File
@@ -2,7 +2,7 @@ source 'https://rubygems.org'
#don't upgrade #don't upgrade
gem 'rails', '3.2.11' gem 'rails', '3.2.11'
gem 'rack', '1.4.3' gem 'rack', '1.4.0'
# Bundle edge Rails instead: # Bundle edge Rails instead:
# gem 'rails', :git => 'git://github.com/rails/rails.git' # gem 'rails', :git => 'git://github.com/rails/rails.git'
Gemfile.lock
+2 -2
View File
@@ -167,7 +167,7 @@ GEM
coderay (~> 1.0) coderay (~> 1.0)
method_source (~> 0.8) method_source (~> 0.8)
slop (~> 3.4) slop (~> 3.4)
rack (1.4.3) rack (1.4.0)
rack-cache (1.2) rack-cache (1.2)
rack (>= 0.4) rack (>= 0.4)
rack-livereload (0.3.15) rack-livereload (0.3.15)
@@ -293,7 +293,7 @@ DEPENDENCIES
poltergeist poltergeist
powder powder
pry pry
rack (= 1.4.3) rack (= 1.4.0)
rack-livereload rack-livereload
rails (= 3.2.11) rails (= 3.2.11)
rb-fsevent rb-fsevent
app/views/layouts/tutorial/access_control/_access_control_first.html.erb
+2 -2
View File
@@ -66,13 +66,13 @@
</p> </p>
<p><b>Failure to Restrict URL Access - SOLUTION</b></p> <p><b>Failure to Restrict URL Access - SOLUTION</b></p>
<p class="desc"> <p class="desc">
The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to enforce the filter on all access requests to the admin dashboard as follows: The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to remove the conditional and enforce the filter on all access requests to the admin dashboard as follows:
</p> </p>
<pre class="ruby"> <pre class="ruby">
<%= %q{ <%= %q{
class AdminController < ApplicationController class AdminController < ApplicationController
before_filter :administrative, :if => :admin_param before_filter :administrative
} %> } %>
</pre> </pre>
</div> </div>
app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb
+1 -1
View File
@@ -1,7 +1,7 @@
<div class="widget"> <div class="widget">
<div class="widget-header"> <div class="widget-header">
<div class="title"> <div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A6 - Security Misconfiguration <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A5 - Security Misconfiguration
</div> </div>
</div> </div>
<div class="widget-body"> <div class="widget-body">
app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb
+1 -1
View File
@@ -1,7 +1,7 @@
<div class="widget"> <div class="widget">
<div class="widget-header"> <div class="widget-header">
<div class="title"> <div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A6 - Security Misconfiguration <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A5 - Security Misconfiguration
</div> </div>
</div> </div>
<div class="widget-body"> <div class="widget-body">