rails icon

Rails 1.1.4 LOAD_PATH vulnerability

Posted in , Thu, 10 Aug 2006 17:20:00 GMT

A couple of people have blogged about their use of the "elite hacking tool diff -r" to identify the problem solved by the Rails 1.1.5 Mandatory Mystery Patch. The problem is that Rails accepted LOAD_PATH as a HTTP request header with any file upload so a hacker could upload ruby controllers and then execute them by accessing the newly exposed URIs. This is discussed by Kristian Köhntopp and Evan Weaver.

Brian Hogan reports the 1.1.5 fix does not work with Mongrel and Sander Land's fix is needed. The issue is being discussed on Ruby Forums and here's the latest patch':

--- routing.rb.orig     2006-08-10 12:20:12.830325000 -0500
+++ routing.rb  2006-08-10 12:20:26.043147000 -0500
@@ -273,7 +273,7 @@
             $LOAD_PATH.select do |base|
               base = File.expand_path(base)
               extended_root = File.expand_path(RAILS_ROOT)
-
base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) *
'|'}/) || base =~ %r{rails-[\d.]+/builtin}
+
base.match(/\A#{Regexp.escape(extended_root)}\/+(#{file_kinds(:lib) *
'|'})/) || base =~ %r{rails-[\d.]+/builtin}
             end
           else
             $LOAD_PATH

37Signals is getting some flack for keeping this a secret when it's so easy to discover what the issue is. Hopefully they'll learn their lesson. They'd also come across as more professional without things like this: http://www.flickr.com/photos/planetargon/127984254/.

del.icio.us:Rails 1.1.4 LOAD_PATH vulnerability digg:Rails 1.1.4 LOAD_PATH vulnerability reddit:Rails 1.1.4 LOAD_PATH vulnerability spurl:Rails 1.1.4 LOAD_PATH vulnerability wists:Rails 1.1.4 LOAD_PATH vulnerability simpy:Rails 1.1.4 LOAD_PATH vulnerability newsvine:Rails 1.1.4 LOAD_PATH vulnerability blinklist:Rails 1.1.4 LOAD_PATH vulnerability furl:Rails 1.1.4 LOAD_PATH vulnerability fark:Rails 1.1.4 LOAD_PATH vulnerability blogmarks:Rails 1.1.4 LOAD_PATH vulnerability Y!:Rails 1.1.4 LOAD_PATH vulnerability smarking:Rails 1.1.4 LOAD_PATH vulnerability magnolia:Rails 1.1.4 LOAD_PATH vulnerability segnalo:Rails 1.1.4 LOAD_PATH vulnerability

3 comments

Comments

  1. Ajay said about 2 hours later:

    I thought that slide was pretty cool. I don’t know the full story behind it (only heard a little bit) but I’m glad that they can get away with it. It’s an open-source project that they provide to the world at their leisure. If you have a problem with it, fork it and do something about it (not you, John, but those who make a big deal out of that slide).

  2. John Wang said about 4 hours later:

    I’ll admit it is entertaining :)

  3. Tim Connor said 2 months later:

    At first I thought that and the DHH translation of the MIT Licence to “I don’t owe you shit” were kind of assholish and whatnot. Then I read the comments on the Rails blog, and started to understand why they (DHH and railcore) were feeling that way.

(leave url/email »)

   Comment Markup Help Preview comment