Kent,
We're working on it. 1.1.6 should fix it I believe. Someone on the
core chime in?
Kev
On 8/10/06, Kent Sibilev [EMAIL PROTECTED] wrote:
Hi,
I think there is still a major vulnerability exists in the latest Rails 1.1.5.
The problem is in the routing.rb file and safe_load_paths method.
Because of the erroneous regexp it is possible to perform a DOS attack
on any rails application.
To reproduce:
1. start your application
2. use this url: http://localhost:3000/debug
Routing module will load standard debug.rb script which stops a
dispatcher process waiting for a terminal input. Actually this way it
is possible to load any script from the ruby standard library.
Patch:
Index: actionpack/lib/action_controller/routing.rb
===
--- actionpack/lib/action_controller/routing.rb (revision 4745)
+++ actionpack/lib/action_controller/routing.rb (working copy)
@@ -270,10 +270,11 @@
protected
def safe_load_paths #:nodoc:
if defined?(RAILS_ROOT)
+extended_root = Regexp.escape(File.expand_path(RAILS_ROOT))
$LOAD_PATH.select do |base|
base = File.expand_path(base)
extended_root = File.expand_path(RAILS_ROOT)
-
base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib)
* '|'}/) || base =~ %r{rails-[\d.]+/builtin}
+ base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) *
'|'})/) || base =~ %r{rails-[\d.]+/builtin}
end
else
$LOAD_PATH
--
Kent
---
http://www.datanoise.com
___
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core
--
Kevin Clark
http://glu.ttono.us
___
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core
