FWIW this particular line has been present since early 2012. f52ad6cf actionpack/lib/action_controller/metal/redirecting.rb (Aaron Patterson 2012-03-15 14:56:50 -0700 106) end.gsub(/[\0\r\n]/, '')
On Thu, Mar 6, 2014 at 7:11 PM, Brandon Perry <[email protected]>wrote: > I agree, an exception is the correct behavior. > > > On Thu, Mar 6, 2014 at 2:10 PM, Timothy Goddard <[email protected]>wrote: > >> Very interesting, could cause issues. It can't use the value and not >> substitute - that's worse. Have seen response splitting in mod_perl because >> it outputs raw strings in to location headers. In my view it should raise >> an exception if not a valid URI. >> >> >> Sent from Samsung Mobile >> >> >> >> -------- Original message -------- >> From: Brandon Perry <[email protected]> >> Date: >> To: [email protected] >> Subject: [Full-disclosure] Rails and redirections >> >> >> >> Currently, passing \0, \r, or \n into a URL that is passed to redirect_to >> has Rails gsub'ing them out of the URL before completing the redirect. >> >> A programmer that doesn't realise this is happening could easily write a >> regex and logic that says "if url starts with https:// or http:// fail >> or else redirect_to url". >> >> Seems straighforward, but an attacker could simply pass in a url like >> \nhttp://www.google.com and bypass the regex check and be redirected to >> google.com. >> >> The line effecting this is line 106 in redirecting.rb in Rails. >> >> >> https://github.com/rails/rails/blob/3-2-stable/actionpack/lib/action_controller/metal/redirecting.rb#L106 >> >> I feel like this is something that Rails should not be doing on behalf of >> the programmer. The programmer should be expected to pass in exactly what >> they want redirected to without Rails changing their data. Should this be >> considered a vulnerability? >> >> Thoughts? >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
