http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
On 8/10/06, Kent Sibilev <[EMAIL PROTECTED]> wrote:
Hi,
I think there is still a major vulnerability exists in the latest Rails 1.1.5.
The problem is in the routing.rb file and safe_load_paths method.
Because of the erroneous regexp it is possible to perform a DOS attack
on any rails application.
To reproduce:
1. start your application
2. use this url: http://localhost:3000/debug
Routing module will load standard debug.rb script which stops a
dispatcher process waiting for a terminal input. Actually this way it
is possible to load any script from the ruby standard library.
Patch:
Index: actionpack/lib/action_controller/routing.rb
===================================================================
--- actionpack/lib/action_controller/routing.rb (revision 4745)
+++ actionpack/lib/action_controller/routing.rb (working copy)
@@ -270,10 +270,11 @@
protected
def safe_load_paths #:nodoc:
if defined?(RAILS_ROOT)
+ extended_root = Regexp.escape(File.expand_path(RAILS_ROOT))
$LOAD_PATH.select do |base|
base = File.expand_path(base)
extended_root = File.expand_path(RAILS_ROOT)
- base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib)
* '|'}/) || base =~ %r{rails-[\d.]+/builtin}
+ base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) *
'|'})/) || base =~ %r{rails-[\d.]+/builtin}
end
else
$LOAD_PATH
--
Kent
---
http://www.datanoise.com
_______________________________________________
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core
_______________________________________________ Rails-core mailing list Rails-core@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails-core
