Dev411 Blog

People are reporting a Rails 1.1.5 routing vulerability where accessing certain URIs will crash Rails. The problem has been reported on Mongrel, WeBrick and FastCGI. Piers Cawley is working on an explicit routes fix for Typo and discusses the issue on his blog. This has not been mentioned on the RoR blog yet. Good thing for public forums.

While this is being fixed you can take steps to protect your own apps by ensuring only valid urls are allowed to make it to your Rails app.

Some problem URIs that have been mentioned include:

• active_support/dependencies
• breakpoint_client
• builder/blankslate
• cgi

I've added some mod_rewrite rules for now but I'm hoping there will be a better solution soon.

If you are using 1.1.5 with Mongrel, see Rails 1.1.4 LOAD_PATH vulernability for a patch to make them work together.

UPDATE:This is now mentioned on the RoR blog with their recommended mod_rewrite fixes for Apache and lighttpd if you can't upgrade to 1.1.6 right away:

Apache:

RewriteRule ^(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/ - [F]

lighttpd:

url.rewrite-once = ( "^/(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/" => "index.html" )