mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
docs: lint Markdown for four rules
- extra whitespace - markup - missing "alt" attribute - trailing whitespace
This commit is contained in:
parent
58ce690711
commit
dcd0544aed
3 changed files with 5 additions and 5 deletions
|
@ -236,7 +236,7 @@ Cross-Site Request Forgery (CSRF)
|
|||
|
||||
This attack method works by including malicious code or a link in a page that accesses a web application that the user is believed to have authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands.
|
||||
|
||||
![](images/security/csrf.png)
|
||||
![Cross-Site Request Forgery](images/security/csrf.png)
|
||||
|
||||
In the [session chapter](#sessions) you have learned that most Rails applications use cookie-based sessions. Either they store the session ID in the cookie and have a server-side session hash, or the entire session hash is on the client-side. In either case the browser will automatically send along the cookie on every request to a domain, if it can find a cookie for that domain. The controversial point is that if the request comes from a site of a different domain, it will also send the cookie. Let's start with an example:
|
||||
|
||||
|
@ -373,7 +373,7 @@ def sanitize_filename(filename)
|
|||
end
|
||||
```
|
||||
|
||||
A significant disadvantage of synchronous processing of file uploads (as the attachment_fu plugin may do with images), is its _vulnerability to denial-of-service attacks_. An attacker can synchronously start image file uploads from many computers which increases the server load and may eventually crash or stall the server.
|
||||
A significant disadvantage of synchronous processing of file uploads (as the `attachment_fu` plugin may do with images), is its _vulnerability to denial-of-service attacks_. An attacker can synchronously start image file uploads from many computers which increases the server load and may eventually crash or stall the server.
|
||||
|
||||
The solution to this is best to _process media files asynchronously_: Save the media file and schedule a processing request in the database. A second process will handle the processing of the file in the background.
|
||||
|
||||
|
@ -405,7 +405,7 @@ raise if basename !=
|
|||
send_file filename, disposition: 'inline'
|
||||
```
|
||||
|
||||
Another (additional) approach is to store the file names in the database and name the files on the disk after the ids in the database. This is also a good approach to avoid possible code in an uploaded file to be executed. The attachment_fu plugin does this in a similar way.
|
||||
Another (additional) approach is to store the file names in the database and name the files on the disk after the ids in the database. This is also a good approach to avoid possible code in an uploaded file to be executed. The `attachment_fu` plugin does this in a similar way.
|
||||
|
||||
Intranet and Admin Security
|
||||
---------------------------
|
||||
|
|
Loading…
Reference in a new issue