Another way... If your app does not use xml nor json params One of the suggested workarounds for a previous vuln is to disable the XML params parser. If you have done so, good. The JSON params parser would need to be disabled too. On Feb 7, 2013 1:39 AM, "Michael Pearson" <[email protected]> wrote:
> Unfortunately not: the commit made it into Rails post 3.2's release, and > as it's a "breaking change" it won't be part of a 3.2 patch release: > > > https://github.com/rails/rails/commit/7c4d3311332d8d6718f29c0f275325ef999d4734 > > My intention with this change was to avoid the sorts of scenarios that > Fred described earlier. > > I guess the only solution really is to not use MySQL :/ > > On Wed, Feb 6, 2013 at 10:47 PM, Mario Visic <[email protected]> wrote: > >> STRICT_ALL_TABLES is actually already enabled in recent versions of >> rails. I believe 3.1? and above, you can see that here: >> >> >> https://github.com/rails/rails/blob/master/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb#L54 >> >> If you do manage to find an SQL model that will play nice, here's some >> code I used to add some extra modes to a rails app I worked on: >> https://gist.github.com/mariovisic/f2a0e57525796e87cbe6 >> >> On Wednesday, February 6, 2013 9:24:15 PM UTC+11, Y. Thong Kuah wrote: >> >>> Doesn't look like STRICT_ALL_TABLES fixes the typecasting. >>> >>> Can't find any modes that would fix this at all. >>> >>> https://dev.mysql.com/doc/**refman/5.1/en/server-sql-mode.** >>> html#sqlmode_strict_all_tables<https://dev.mysql.com/doc/refman/5.1/en/server-sql-mode.html#sqlmode_strict_all_tables> >>> >>> >>> On Wed, Feb 6, 2013 at 10:19 PM, Michael Pearson <[email protected]>wrote: >>> >>>> Fred: Can you turn on STRICT_ALL_TABLES (http://dev.mysql.com/doc/** >>>> refman/5.0/en/server-sql-mode.**html#sqlmode_strict_all_tables<http://dev.mysql.com/doc/refman/5.0/en/server-sql-mode.html#sqlmode_strict_all_tables> >>>> **) and tell me whether this still works? >>>> >>>> As the comparison is generating a warning, I suspect it won't. >>>> >>>> If you're using MySQL, and you're not dependent on its questionable "do >>>> what I mean" magic, use STRICT_ALL_TABLES. It'll be the default in Rails 4. >>>> >>>> >>>> On Wed, Feb 6, 2013 at 8:09 PM, Fred Wu <[email protected]> wrote: >>>> >>>>> Well, here's a vulnerability that's not widespread (yet) and the >>>>> author's released the info in public after being told by the rails core >>>>> team that it's up to the libraries to fix this: >>>>> >>>>> http://www.phenoelit.org/blog/**archives/2013/02/05/mysql_** >>>>> madness_and_rails/<http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/> >>>>> >>>>> Since not a lot of people are talking about this vulnerability on the >>>>> Twitterverse I assume many of you haven't come across it either. >>>>> >>>>> I've verified that the exploit works, so if you are effected I suggest >>>>> you patch your apps immediately (`to_s` on your relevent param would do). >>>>> >>>>> >>>>> -Fred >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ruby or Rails Oceania" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to rails-oceani...@**googlegroups.com. >>>>> To post to this group, send email to [email protected]**. >>>>> >>>>> Visit this group at http://groups.google.com/** >>>>> group/rails-oceania?hl=en<http://groups.google.com/group/rails-oceania?hl=en> >>>>> . >>>>> For more options, visit >>>>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>>>> . >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Michael Pearson >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ruby or Rails Oceania" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to rails-oceani...@**googlegroups.com. >>>> To post to this group, send email to [email protected]**. >>>> >>>> Visit this group at http://groups.google.com/** >>>> group/rails-oceania?hl=en<http://groups.google.com/group/rails-oceania?hl=en> >>>> . >>>> For more options, visit >>>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>>> . >>>> >>>> >>>> >>> >>> >>> >>> -- >>> Best regards, >>> Y. Thong Kuah >>> http://kuahyeow.com >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby or Rails Oceania" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/rails-oceania?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > > > -- > Michael Pearson > > -- > You received this message because you are subscribed to the Google Groups > "Ruby or Rails Oceania" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rails-oceania?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rails-oceania?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
