Rails 1.1.4 LOAD_PATH vulnerability
Posted in security, rails Thu, 10 Aug 2006 17:20:00 GMT
A couple of people have blogged about their use of the "elite hacking tool diff -r" to identify the problem solved by the Rails 1.1.5 Mandatory Mystery Patch. The problem is that Rails accepted LOAD_PATH as a HTTP request header with any file upload so a hacker could upload ruby controllers and then execute them by accessing the newly exposed URIs. This is discussed by Kristian Köhntopp and Evan Weaver.
Brian Hogan reports the 1.1.5 fix does not work with Mongrel and Sander Land's fix is needed. The issue is being discussed on Ruby Forums and here's the latest patch':
--- routing.rb.orig 2006-08-10 12:20:12.830325000 -0500 +++ routing.rb 2006-08-10 12:20:26.043147000 -0500 @@ -273,7 +273,7 @@ $LOAD_PATH.select do |base| base = File.expand_path(base) extended_root = File.expand_path(RAILS_ROOT) - base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin} + base.match(/\A#{Regexp.escape(extended_root)}\/+(#{file_kinds(:lib) * '|'})/) || base =~ %r{rails-[\d.]+/builtin} end else $LOAD_PATH
37Signals is getting some flack for keeping this a secret when it's so easy to discover what the issue is. Hopefully they'll learn their lesson. They'd also come across as more professional without things like this: http://www.flickr.com/photos/planetargon/127984254/.
I thought that slide was pretty cool. I don’t know the full story behind it (only heard a little bit) but I’m glad that they can get away with it. It’s an open-source project that they provide to the world at their leisure. If you have a problem with it, fork it and do something about it (not you, John, but those who make a big deal out of that slide).
I’ll admit it is entertaining :)
At first I thought that and the DHH translation of the MIT Licence to “I don’t owe you shit” were kind of assholish and whatnot. Then I read the comments on the Rails blog, and started to understand why they (DHH and railcore) were feeling that way.