Do you mean 1.1.6??
http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
On 8/10/06, Kent Sibilev <ksruby@gmail.com> wrote:>
> Hi,
>
> I think there is still a major vulnerability exists in the latest Rails
> 1.1.5.
>
> The problem is in the routing.rb file and safe_load_paths method.
> Because of the erroneous regexp it is possible to perform a DOS attack
> on any rails application.
>
> To reproduce:
> 1. start your application
> 2. use this url: http://localhost:3000/debug
>
> Routing module will load standard debug.rb script which stops a
> dispatcher process waiting for a terminal input. Actually this way it
> is possible to load any script from the ruby standard library.
>
> Patch:
>
> Index: actionpack/lib/action_controller/routing.rb
> ==================================================================> ---
actionpack/lib/action_controller/routing.rb (revision 4745)
> +++ actionpack/lib/action_controller/routing.rb (working copy)
> @@ -270,10 +270,11 @@
> protected
> def safe_load_paths #:nodoc:
> if defined?(RAILS_ROOT)
> + extended_root = Regexp.escape(File.expand_path(RAILS_ROOT))
> $LOAD_PATH.select do |base|
> base = File.expand_path(base)
> extended_root = File.expand_path(RAILS_ROOT)
> - base.match(/\A#{Regexp.escape
> (extended_root)}\/*#{file_kinds(:lib)
> * ''|''}/) || base =~ %r{rails-[\d.]+/builtin}
> + base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) *
> ''|''})/) || base =~ %r{rails-[\d.]+/builtin}
> end
> else
> $LOAD_PATH
>
>
> --
> Kent
> ---
> http://www.datanoise.com
> _______________________________________________
> Rails-core mailing list
> Rails-core@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails-core
>
_______________________________________________
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core