[ANN] Rails 1.1.6: Stronger fix, backports, and full disclosure

Discussion in 'Ruby' started by David Heinemeier Hansson, Aug 10, 2006.

  1. The cat is out of the bag, so here's the full disclosure edition of
    the current security vulnerability. With Rails 1.1.0 through 1.1.5
    (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby
    code through the URL because of a bug in the routing code of Rails.
    This means that you can essentially take down a Rails process by
    starting something like /script/profiler, as the code will run for a
    long time and that process will be hung while it happens. Other URLs
    can even cause data loss.

    We've backported a fix to all the affected versions for those of you
    that can't update. You'll have to apply the diff for your version:

    * Patch for Rails 1.1.0:
    http://www.rubyonrails.org/files/aug_10_security/rel_1-1-0.diff
    * Patch for Rails 1.1.1:
    http://www.rubyonrails.org/files/aug_10_security/rel_1-1-1.diff
    * Patch for Rails 1.1.2:
    http://www.rubyonrails.org/files/aug_10_security/rel_1-1-2.diff
    * Patch for Rails 1.1.4:
    http://www.rubyonrails.org/files/aug_10_security/rel_1-1-4.diff
    * Patch for Rails 1.1.5: Upgrade to Rails 1.1.6.

    These patches (and 1.1.6) will break applications using the 3rd party
    engines idea. So if you can't upgrade because of dependencies to
    those, you can also add the following URL blocking while engines are
    being updated. Here's how to do it with mod_rewrite under Apache:

    RewriteRule ^(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/
    - [F]

    Here's how to do it under lighttpd:

    url.rewrite-once = (
    "^/(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/"
    => "index.html" )

    Unfortunately, the 1.1.5 update from yesterday only partly closed the
    hole (getting rid of the worst data loss trigger). After learning more
    about the extent of the problem, we've now put together a 1.1.6
    release that completely closes all elements of the hole (using the
    same technique as the backports above).

    So if you upgraded to 1.1.5 yesterday, you need to upgrade again. The
    approach stays the same:

    sudo gem install rails --include-dependencies

    If you're running of trunk (also known as edge) using revision 4394 or
    later, you're not affected by all this in any form.

    We'll follow up with more information as it becomes available.
    Needless to say, this is all the Rails core team is working on right
    now and we've recruited a whole band of testers to help us play this
    out. We'll make sure to evaluate all the feedback that's been coming
    in and develop a policy for dealing with security issues in the
    future. Thanks for your continued understanding.

    We've also started #rails-security on Freenet for people with IRC
    available to get and share more information.

    If you're floating on gems (don't have vendor/rails), then make sure
    you update RAILS_GEM_VERSION in your config/environment.rb. Otherwise
    you'll still be bound to that earlier version of Rails even as you
    install the new gems.


    We continue to update http://weblog.rubyonrails.org/ with the latest
    information as it becomes available.
    --
    David Heinemeier Hansson
    http://www.loudthinking.com -- Broadcasting Brain
    http://www.basecamphq.com -- Online project management
    http://www.backpackit.com -- Personal information manager
    http://www.rubyonrails.com -- Web-application framework
     
    David Heinemeier Hansson, Aug 10, 2006
    #1
    1. Advertising

  2. David Heinemeier Hansson

    Ed Howland Guest

    David, what are the steps 3rd party engines need to do to fix their code?

    Thanks
    Ed

    On 8/10/06, David Heinemeier Hansson <> wrote:
    > The cat is out of the bag, so here's the full disclosure edition of
    > the current security vulnerability. With Rails 1.1.0 through 1.1.5
    > (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby
    > code through the URL because of a bug in the routing code of Rails.
    > This means that you can essentially take down a Rails process by
    > starting something like /script/profiler, as the code will run for a
    > long time and that process will be hung while it happens. Other URLs
    > can even cause data loss.
    >
    > We've backported a fix to all the affected versions for those of you
    > that can't update. You'll have to apply the diff for your version:
    >
    > * Patch for Rails 1.1.0:
    > http://www.rubyonrails.org/files/aug_10_security/rel_1-1-0.diff
    > * Patch for Rails 1.1.1:
    > http://www.rubyonrails.org/files/aug_10_security/rel_1-1-1.diff
    > * Patch for Rails 1.1.2:
    > http://www.rubyonrails.org/files/aug_10_security/rel_1-1-2.diff
    > * Patch for Rails 1.1.4:
    > http://www.rubyonrails.org/files/aug_10_security/rel_1-1-4.diff
    > * Patch for Rails 1.1.5: Upgrade to Rails 1.1.6.
    >
    > These patches (and 1.1.6) will break applications using the 3rd party
    > engines idea. So if you can't upgrade because of dependencies to
    > those, you can also add the following URL blocking while engines are
    > being updated. Here's how to do it with mod_rewrite under Apache:
    >
    > RewriteRule ^(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/
    > - [F]
    >
    > Here's how to do it under lighttpd:
    >
    > url.rewrite-once = (
    > "^/(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/"
    > => "index.html" )
    >
    > Unfortunately, the 1.1.5 update from yesterday only partly closed the
    > hole (getting rid of the worst data loss trigger). After learning more
    > about the extent of the problem, we've now put together a 1.1.6
    > release that completely closes all elements of the hole (using the
    > same technique as the backports above).
    >
    > So if you upgraded to 1.1.5 yesterday, you need to upgrade again. The
    > approach stays the same:
    >
    > sudo gem install rails --include-dependencies
    >
    > If you're running of trunk (also known as edge) using revision 4394 or
    > later, you're not affected by all this in any form.
    >
    > We'll follow up with more information as it becomes available.
    > Needless to say, this is all the Rails core team is working on right
    > now and we've recruited a whole band of testers to help us play this
    > out. We'll make sure to evaluate all the feedback that's been coming
    > in and develop a policy for dealing with security issues in the
    > future. Thanks for your continued understanding.
    >
    > We've also started #rails-security on Freenet for people with IRC
    > available to get and share more information.
    >
    > If you're floating on gems (don't have vendor/rails), then make sure
    > you update RAILS_GEM_VERSION in your config/environment.rb. Otherwise
    > you'll still be bound to that earlier version of Rails even as you
    > install the new gems.
    >
    >
    > We continue to update http://weblog.rubyonrails.org/ with the latest
    > information as it becomes available.
    > --
    > David Heinemeier Hansson
    > http://www.loudthinking.com -- Broadcasting Brain
    > http://www.basecamphq.com -- Online project management
    > http://www.backpackit.com -- Personal information manager
    > http://www.rubyonrails.com -- Web-application framework
    >
    >



    --
    Ed Howland
    http://greenprogrammer.blogspot.com
     
    Ed Howland, Aug 10, 2006
    #2
    1. Advertising

  3. David Heinemeier Hansson ha scritto:
    > The cat is out of the bag, so here's the full disclosure edition of
    > the current security vulnerability. With Rails 1.1.0 through 1.1.5
    > (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby
    > code through the URL because of a bug in the routing code of Rails.
    > This means that you can essentially take down a Rails process by
    > starting something like /script/profiler, as the code will run for a
    > long time and that process will be hung while it happens. Other URLs
    > can even cause data loss.


    it is nice to see this kind of quick feedback and bugfix, but I wonder
    if this coulkd have been avoided from the start by using $SAFE, someone
    has ever investigated if rails can be made to run with higher safe
    levels than 0 ?
     
    gabriele renzi, Aug 10, 2006
    #3
  4. David Heinemeier Hansson

    James Adam Guest

    Expect an engines fix in the next few hours.

    - james

    On 8/10/06, Ed Howland <> wrote:
    > David, what are the steps 3rd party engines need to do to fix their code?
    >



    --
    * J *
    ~
     
    James Adam, Aug 10, 2006
    #4
  5. On 8/10/06, David Heinemeier Hansson <> wrote:
    >
    > Here's how to do it under lighttpd:
    >
    > url.rewrite-once = (
    > "^/(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/"
    > => "index.html" )


    Thanks a lot, especially for this virtually instant interim fix.

    Les
     
    Leslie Viljoen, Aug 10, 2006
    #5
  6. David Heinemeier Hansson

    Ed Howland Guest

    On 8/10/06, James Adam <> wrote:
    > Expect an engines fix in the next few hours.
    >
    > - james
    >
    > On 8/10/06, Ed Howland <> wrote:
    > > David, what are the steps 3rd party engines need to do to fix their code?
    > >


    James,

    Thanks. I am working with Jeff Barczewski on Masterview Templates
    which is a templating engine. It generally works with the 1.1.6 patch,
    but they have special URL that goes to their Admin Console page. Jeff
    confirmed that the 1.1.6 and 1.1.5 broke his routing.

    He should have a workaround for it soon. It only affects the
    development process. It should not affect any production code, AFAIK.

    Ed


    >
    >
    > --
    > * J *
    > ~
    >
    >



    --
    Ed Howland
    http://greenprogrammer.blogspot.com
     
    Ed Howland, Aug 10, 2006
    #6
  7. David Heinemeier Hansson

    Peña, Botp Guest

    fr David:
    # Sent: Friday, August 11, 2006 3:05 AM
    # To: ruby-talk ML; ;=20
    #
    # Subject: [ANN] Rails 1.1.6: Stronger fix, backports, and full=20
    # disclosure

    just a small info.
    on a test box w no app installed yet,

    root@pc4all:~# gem install rails --include-dependencies
    Need to update 19 gems from http://gems.rubyforge.org
    ...................
    complete
    Successfully installed rails-1.1.6
    Successfully installed actionpack-1.12.5
    Successfully installed actionmailer-1.2.5
    Successfully installed actionwebservice-1.1.6
    Installing ri documentation for actionpack-1.12.5...
    While generating documentation for actionpack-1.12.5
    ... MESSAGE: Unhandled special: Special: type=3D17, text=3D"<!-- The =
    header part of this layout -->"
    ... RDOC args: --ri --op =
    /usr/local/lib/ruby/gems/1.8/doc/actionpack-1.12.5/ri --quiet lib
    (continuing with the rest of the installation)
    Installing ri documentation for actionmailer-1.2.5...
    Installing ri documentation for actionwebservice-1.1.6...
    Installing RDoc documentation for actionpack-1.12.5...
    Installing RDoc documentation for actionmailer-1.2.5...
    Installing RDoc documentation for actionwebservice-1.1.6...
    root@pc4all:~#

    thanks for rails.
    -botp
     
    Peña, Botp, Aug 11, 2006
    #7
  8. David Heinemeier Hansson

    Ed Howland Guest

    On 8/10/06, Pe=F1a, Botp <> wrote:
    >
    > just a small info.
    > on a test box w no app installed yet,
    >
    > root@pc4all:~# gem install rails --include-dependencies
    > Need to update 19 gems from http://gems.rubyforge.org
    > ...................
    > complete
    > Successfully installed rails-1.1.6
    > Successfully installed actionpack-1.12.5
    > Successfully installed actionmailer-1.2.5
    > Successfully installed actionwebservice-1.1.6
    > Installing ri documentation for actionpack-1.12.5...
    > While generating documentation for actionpack-1.12.5
    > ... MESSAGE: Unhandled special: Special: type=3D17, text=3D"<!-- The he=

    ader part of this layout -->"
    > ... RDOC args: --ri --op /usr/local/lib/ruby/gems/1.8/doc/actionpack-1.12=

    5/ri --quiet lib
    > (continuing with the rest of the installation)
    > Installing ri documentation for actionmailer-1.2.5...
    > Installing ri documentation for actionwebservice-1.1.6...
    > Installing RDoc documentation for actionpack-1.12.5...
    > Installing RDoc documentation for actionmailer-1.2.5...
    > Installing RDoc documentation for actionwebservice-1.1.6...


    I got that as well, but it didn't seem to break anything. Maybe my
    local documentation is broken, but I use the web api one anyway.

    Ed

    --=20
    Ed Howland
    http://greenprogrammer.blogspot.com
     
    Ed Howland, Aug 11, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Xah Lee
    Replies:
    22
    Views:
    1,139
    Tim Roberts
    Mar 21, 2006
  2. Xah Lee
    Replies:
    23
    Views:
    1,085
    Tim Roberts
    Mar 21, 2006
  3. David Segall
    Replies:
    1
    Views:
    343
    Jan C. Faerber
    Jun 16, 2009
  4. why the lucky stiff
    Replies:
    0
    Views:
    109
    why the lucky stiff
    Mar 29, 2005
  5. Xah Lee
    Replies:
    21
    Views:
    804
    Tim Roberts
    Mar 21, 2006
Loading...

Share This Page