{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 放我归山 的问题《Is it safe to accept URL parameters for populating》','https://www.manongdao.com/q-865981.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using Ruby on Rails 4.1.1 and I am thinking to accept parameters (through URL query strings) that are passed directly to the url_for method, this way:
# URL in the browser
http://www.myapp.com?redirect_to[controller]=users&redirect_to[action]=show&redirect_to[id]=1
# Controller
...
redirect_to url_for(params[:redirect_to].merge(:only_path => true))
Adopting the above approach users can be redirected after performing an action. However, I think people can enter arbitraryparams that can lead to security issues...
Is it safe to accept URL parameters for populating the url_for method? What are pitfalls? What can happen in the worst case?
By logging params during requests to my application I noted Rails adds always :controller and action parameters. Maybe that confirms url_for can be used the above way since it is protected internally and works as-like Rails is intended to.
Rails
redirect_tosets the HTTP status code to302 Foundwhich tells the browser toGETthe new path as you defined it byurl_for.GETis a considered a safe method in contrast toThe only problem would have been if someone could gain access to methods such as
createanddestroy. Since these methods use HTTP methods other thanGET(respectivelyPOSTandDELETE) it should be no problem.Another danger here is if you go beyond CRUD methods of REST and have a custom method which responses to
GETand changes the database state:routes.rb
SomethingController
For future ref:
Rails has a number of security measurements which may also interest you.
This it is safe internally as Ruby On Rails will only be issuing a HTTP redirect response.
As you are using
only_paththis will protect you from an Open redirect vulnerability. This is where an email is sent by an attacker containing a link in the following format (say your site isexample.com).As the user checks the URL and sees it is on the
example.comdomain they beleive it is safe so click the link. However, if there's an open redirect then the user ends up onevil.comwhich could ask for theirexample.compassword without the user noticing.Redirecting to a relative path only on your site fixes any vulnerability.
In your case you are giving users control of your controller, action and parameters. As long as your GET methods are safe (i.e. no side-effects), an attacker could not use this by creating a crafted link that the user opens.
In summary, from the information provided I don't see any risk from phishing URLs to your application.
It's not exactly an answer, just wanted to point out that you shouldn't use something like
because one could pass
hostandportas params and thus the url could lead to another site and it can get worse if it gets cached or something.Don't know if it threatens anything, but hey, it's worth pointing out