Ruby on Rails Releases Yet Another Emergency Security Upgrade - 1.1.6
By Angsuman Chakraborty, Gaea News NetworkFriday, August 11, 2006
Rails has taken the right route and went for full disclosure unlike for example the WordPress team, who still believes in the flawed concept of security by obscurity. After a full assessment of the security vulnerability (details below) Rails team decided they needed yet another emergency patch to fully close the hole.
With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails. This means that you can essentially take down a Rails process by starting something like /script/profiler, as the code will run for a long time and that process will be hung while it happens. Other URLs can even cause data loss.
Commendably they have backported a fix to all the affected versions for those who can’t update to 1.1.6. You’ll have to apply the diff for your version:
- Patch for Rails 1.1.0
- Patch for Rails 1.1.1
- Patch for Rails 1.1.2
- Patch for Rails 1.1.4
- Patch for Rails 1.1.5: Upgrade to Rails 1.1.6.
These patches (and 1.1.6) will break applications using the 3rd party engines idea. So if you can’t upgrade because of dependencies to those, you can also add the following URL blocking while engines are being updated. Here’s how to do it with mod_rewrite under Apache:
RewriteRule ^(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/ - [F]
Here’s how to do it under lighttpd:
url.rewrite-once = ( “^/(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/” => “index.html” )
Tags: Urls