[Rails] Re: On the total nondisclosure of the 8/9/06 security vulner
Sander Land
sander.land at gmail.com
Thu Aug 10 14:18:20 GMT 2006
Running with webrick in development mode both /cgi and those 2 requests
generate errors on all subsequent requests.
for the .cgi one:
.../ruby/lib/ruby/1.8/cgi.rb:773
...
action_controller/routing.rb:289:in `attempt_load'
routing.rb:
safe_load_paths.each do |load_path|
full_path = File.join(load_path, path)
file_path = full_path + '.rb'
if File.file?(file_path) # Found a .rb file? Load it up
require_dependency(file_path)
printing 'safe_load_paths' in attempt_load gives me all the dirs from my
app, rails, and some ruby library dirs(!). Also the path variable is
'cgi'.
So it just traverses all lib directories and loads the first file names
cgi.rb, even if it's in a ruby or rails library dir.
with safe_load_paths being defined as:
def safe_load_paths #:nodoc:
if defined?(RAILS_ROOT)
$LOAD_PATH.select do |base|
base = File.expand_path(base)
extended_root = File.expand_path(RAILS_ROOT)
base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib)
* '|'}/) || base =~ %r{rails-[\d.]+/builtin}
end
...
where File.expand_path(RAILS_ROOT) is my application dir.
This:
base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) *
'|'}/)
seems to match too much, some debugging output shows that
file_kinds(:lib) * '|' returns 'app|lib'
so this is base.match(/\A/path/to/your_app/\/*app|lib/)
with no parenthesis around app|lib !
So any dir matching 'lib' is included.
Fix:
actionpack-1.12.4\lib\action_controller\routing.rb: 276
CHANGE
base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) *
'|'}/) || base =~ %r{rails-[\d.]+/builtin}
TO
base.match(/\A#{Regexp.escape(extended_root)}\/*(?:#{file_kinds(:lib) *
'|'})/) || base =~ %r{rails-[\d.]+/builtin}
Vulnerability fixed :)
...and I haven't even finished my first rails app yet ;)
--
Posted via http://www.ruby-forum.com/.
More information about the Rails
mailing list