Kent, We're working on it. 1.1.6 should fix it I believe. Someone on the core chime in? Kev
On 8/10/06, Kent Sibilev <[EMAIL PROTECTED]> wrote:
Hi, I think there is still a major vulnerability exists in the latest Rails 1.1.5. The problem is in the routing.rb file and safe_load_paths method. Because of the erroneous regexp it is possible to perform a DOS attack on any rails application. To reproduce: 1. start your application 2. use this url: http://localhost:3000/debug Routing module will load standard debug.rb script which stops a dispatcher process waiting for a terminal input. Actually this way it is possible to load any script from the ruby standard library. Patch: Index: actionpack/lib/action_controller/routing.rb =================================================================== --- actionpack/lib/action_controller/routing.rb (revision 4745) +++ actionpack/lib/action_controller/routing.rb (working copy) @@ -270,10 +270,11 @@ protected def safe_load_paths #:nodoc: if defined?(RAILS_ROOT) + extended_root = Regexp.escape(File.expand_path(RAILS_ROOT)) $LOAD_PATH.select do |base| base = File.expand_path(base) extended_root = File.expand_path(RAILS_ROOT) - base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin} + base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) * '|'})/) || base =~ %r{rails-[\d.]+/builtin} end else $LOAD_PATH -- Kent --- http://www.datanoise.com _______________________________________________ Rails-core mailing list Rails-core@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails-core
-- Kevin Clark http://glu.ttono.us _______________________________________________ Rails-core mailing list Rails-core@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails-core
