Hi, I think there is still a major vulnerability exists in the latest Rails 1.1.5. The problem is in the routing.rb file and safe_load_paths method. Because of the erroneous regexp it is possible to perform a DOS attack on any rails application. To reproduce: 1. start your application 2. use this url: http://localhost:3000/debug Routing module will load standard debug.rb script which stops a dispatcher process waiting for a terminal input. Actually this way it is possible to load any script from the ruby standard library. Patch: Index: actionpack/lib/action_controller/routing.rb ==================================================================--- actionpack/lib/action_controller/routing.rb (revision 4745) +++ actionpack/lib/action_controller/routing.rb (working copy) @@ -270,10 +270,11 @@ protected def safe_load_paths #:nodoc: if defined?(RAILS_ROOT) + extended_root = Regexp.escape(File.expand_path(RAILS_ROOT)) $LOAD_PATH.select do |base| base = File.expand_path(base) extended_root = File.expand_path(RAILS_ROOT) - base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) * ''|''}/) || base =~ %r{rails-[\d.]+/builtin} + base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) * ''|''})/) || base =~ %r{rails-[\d.]+/builtin} end else $LOAD_PATH -- Kent --- http://www.datanoise.com
Kevin Clark
2006-Aug-10 18:33 UTC
Re: Major security vulnerability in the latest Rails 1.1.5
Kent, We''re working on it. 1.1.6 should fix it I believe. Someone on the core chime in? Kev On 8/10/06, Kent Sibilev <ksruby@gmail.com> wrote:> Hi, > > I think there is still a major vulnerability exists in the latest Rails 1.1.5. > > The problem is in the routing.rb file and safe_load_paths method. > Because of the erroneous regexp it is possible to perform a DOS attack > on any rails application. > > To reproduce: > 1. start your application > 2. use this url: http://localhost:3000/debug > > Routing module will load standard debug.rb script which stops a > dispatcher process waiting for a terminal input. Actually this way it > is possible to load any script from the ruby standard library. > > Patch: > > Index: actionpack/lib/action_controller/routing.rb > ==================================================================> --- actionpack/lib/action_controller/routing.rb (revision 4745) > +++ actionpack/lib/action_controller/routing.rb (working copy) > @@ -270,10 +270,11 @@ > protected > def safe_load_paths #:nodoc: > if defined?(RAILS_ROOT) > + extended_root = Regexp.escape(File.expand_path(RAILS_ROOT)) > $LOAD_PATH.select do |base| > base = File.expand_path(base) > extended_root = File.expand_path(RAILS_ROOT) > - base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) > * ''|''}/) || base =~ %r{rails-[\d.]+/builtin} > + base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) * > ''|''})/) || base =~ %r{rails-[\d.]+/builtin} > end > else > $LOAD_PATH > > > > -- > Kent > --- > http://www.datanoise.com > _______________________________________________ > Rails-core mailing list > Rails-core@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails-core >-- Kevin Clark http://glu.ttono.us
Pieter Botha
2006-Aug-11 17:03 UTC
[Rails] Major security vulnerability in the latest Rails 1.1.5
Running 1.1.4 - getting -> Recognition failed for "/debug". Running webrick. Kent Sibilev wrote:> Hi, > > I think there is still a major vulnerability exists in the latest > Rails 1.1.5. > > The problem is in the routing.rb file and safe_load_paths method. > Because of the erroneous regexp it is possible to perform a DOS attack > on any rails application. > > To reproduce: > 1. start your application > 2. use this url: http://localhost:3000/debug > > Routing module will load standard debug.rb script which stops a > dispatcher process waiting for a terminal input. Actually this way it > is possible to load any script from the ruby standard library. > > Patch: > > Index: actionpack/lib/action_controller/routing.rb > ==================================================================> --- actionpack/lib/action_controller/routing.rb (revision 4745) > +++ actionpack/lib/action_controller/routing.rb (working copy) > @@ -270,10 +270,11 @@ > protected > def safe_load_paths #:nodoc: > if defined?(RAILS_ROOT) > + extended_root = Regexp.escape(File.expand_path(RAILS_ROOT)) > $LOAD_PATH.select do |base| > base = File.expand_path(base) > extended_root = File.expand_path(RAILS_ROOT) > - > base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) > * ''|''}/) || base =~ %r{rails-[\d.]+/builtin} > + base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) * > ''|''})/) || base =~ %r{rails-[\d.]+/builtin} > end > else > $LOAD_PATH > > >
Kent Sibilev
2006-Aug-11 18:41 UTC
[Rails] Major security vulnerability in the latest Rails 1.1.5
I send this email yesterday morning. For whatever reason it was delayed for more than 24 hours. There must be something wrong with the mail server. Anyway this problem is fixed with the latest 1.1.6 On 8/11/06, Pieter Botha <ship@lantic.net> wrote:> > Running 1.1.4 - getting -> Recognition failed for "/debug". > > Running webrick. > > Kent Sibilev wrote: > > Hi, > > > > I think there is still a major vulnerability exists in the latest > > Rails 1.1.5. > > > > The problem is in the routing.rb file and safe_load_paths method. > > Because of the erroneous regexp it is possible to perform a DOS attack > > on any rails application. > > > > To reproduce: > > 1. start your application > > 2. use this url: http://localhost:3000/debug > > > > Routing module will load standard debug.rb script which stops a > > dispatcher process waiting for a terminal input. Actually this way it > > is possible to load any script from the ruby standard library. > > > > Patch: > > > > Index: actionpack/lib/action_controller/routing.rb > > ==================================================================> > --- actionpack/lib/action_controller/routing.rb (revision 4745) > > +++ actionpack/lib/action_controller/routing.rb (working copy) > > @@ -270,10 +270,11 @@ > > protected > > def safe_load_paths #:nodoc: > > if defined?(RAILS_ROOT) > > + extended_root = Regexp.escape(File.expand_path(RAILS_ROOT)) > > $LOAD_PATH.select do |base| > > base = File.expand_path(base) > > extended_root = File.expand_path(RAILS_ROOT) > > - > > base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) > > * ''|''}/) || base =~ %r{rails-[\d.]+/builtin} > > + base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) * > > ''|''})/) || base =~ %r{rails-[\d.]+/builtin} > > end > > else > > $LOAD_PATH > > > > > > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Kent --- http://www.datanoise.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060811/cde325ef/attachment-0001.html
Brian Hogan
2006-Aug-11 19:55 UTC
[Rails] Major security vulnerability in the latest Rails 1.1.5
FYI: There is a Rails 1.1.6 that fixes this.. On 8/11/06, Pieter Botha <ship@lantic.net> wrote:> > Running 1.1.4 - getting -> Recognition failed for "/debug". > > Running webrick. > > Kent Sibilev wrote: > > Hi, > > > > I think there is still a major vulnerability exists in the latest > > Rails 1.1.5. > > > > The problem is in the routing.rb file and safe_load_paths method. > > Because of the erroneous regexp it is possible to perform a DOS attack > > on any rails application. > > > > To reproduce: > > 1. start your application > > 2. use this url: http://localhost:3000/debug > > > > Routing module will load standard debug.rb script which stops a > > dispatcher process waiting for a terminal input. Actually this way it > > is possible to load any script from the ruby standard library. > > > > Patch: > > > > Index: actionpack/lib/action_controller/routing.rb > > ==================================================================> > --- actionpack/lib/action_controller/routing.rb (revision 4745) > > +++ actionpack/lib/action_controller/routing.rb (working copy) > > @@ -270,10 +270,11 @@ > > protected > > def safe_load_paths #:nodoc: > > if defined?(RAILS_ROOT) > > + extended_root = Regexp.escape(File.expand_path(RAILS_ROOT)) > > $LOAD_PATH.select do |base| > > base = File.expand_path(base) > > extended_root = File.expand_path(RAILS_ROOT) > > - > > base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) > > * ''|''}/) || base =~ %r{rails-[\d.]+/builtin} > > + base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) * > > ''|''})/) || base =~ %r{rails-[\d.]+/builtin} > > end > > else > > $LOAD_PATH > > > > > > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060811/da1434f4/attachment.html
Michael Koziarski
2006-Aug-13 21:59 UTC
Re: Major security vulnerability in the latest Rails 1.1.5
> Kent, > We''re working on it. 1.1.6 should fix it I believe. Someone on the > core chime in?Yes, 1.1.6 is not vulnerable as far as we can tell. In future, this list is *not* the place to report vulnerabilities. Perhaps we should have a security@rubyonrails.org which contacts a few of us on the core team. -- Cheers Koz
Maybe Matching Threads
- On the total nondisclosure of the 8/9/06 security vulnerability
- 1.1.5 Upgrade and config.load_path not working
- RSpec: "--color" not working in spec.opts when combined with "--drb"
- After moving from Ruby 1.8.7 to 1.9.3 - test/unit/error (LoadError)
- Engines & Rails 1.1.6