Moritz Muehlenhoff wrote:
Adam Majer wrote:
Since this is a XSS problem, I don't think it needs a grave severity.
But then some will argue otherwise. Also, nothing on the "Ruby on Rails
security announcement list"... hmmmm....
(Note, I don't know Ruby on Rails). Does the affected function claim to sanitise
potentially harmful characters? If not, sanitising still needs to be done inside
the application using RoR and this is mostly a security-related wishlist
bug, but not an immediate vulnerability.
The fix is going to have to be backported to stable and also to sid as
the current trunk (where patch is) doesn't even contain the same files
anymore.
JSON is a JavaScript Object Notation (json.org). It is suppose to be
used as a data interchange format. Data is to be passed to a web
application's javascript (or something like that - I have not used
JSON). Anyway, the problem is that the encoding function does NOT encode
stuff like < or >. If these are not escaped when passed in "encoded"
JSON, well, you get the XSS problem.
The changesets that fixes the problem is at,
http://dev.rubyonrails.org/changeset/6893
http://dev.rubyonrails.org/changeset/6894
This is not a problem to backport back to unstable and Etch though.
- Adam
PS. The "security annoucement group" for rails seems to be dead. Or
maybe they view XSS as not really security related?
http://groups.google.com/group/rubyonrails-security
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
