[ANN] Rails 1.1.6: Stronger fix, backports, and full disclosure

  • Thread starter David Heinemeier Hansson
  • Start date
D

David Heinemeier Hansson

The cat is out of the bag, so here's the full disclosure edition of
the current security vulnerability. With Rails 1.1.0 through 1.1.5
(minus the short-lived 1.1.3), you can trigger the evaluation of Ruby
code through the URL because of a bug in the routing code of Rails.
This means that you can essentially take down a Rails process by
starting something like /script/profiler, as the code will run for a
long time and that process will be hung while it happens. Other URLs
can even cause data loss.

We've backported a fix to all the affected versions for those of you
that can't update. You'll have to apply the diff for your version:

* Patch for Rails 1.1.0:
http://www.rubyonrails.org/files/aug_10_security/rel_1-1-0.diff
* Patch for Rails 1.1.1:
http://www.rubyonrails.org/files/aug_10_security/rel_1-1-1.diff
* Patch for Rails 1.1.2:
http://www.rubyonrails.org/files/aug_10_security/rel_1-1-2.diff
* Patch for Rails 1.1.4:
http://www.rubyonrails.org/files/aug_10_security/rel_1-1-4.diff
* Patch for Rails 1.1.5: Upgrade to Rails 1.1.6.

These patches (and 1.1.6) will break applications using the 3rd party
engines idea. So if you can't upgrade because of dependencies to
those, you can also add the following URL blocking while engines are
being updated. Here's how to do it with mod_rewrite under Apache:

RewriteRule ^(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/
- [F]

Here's how to do it under lighttpd:

url.rewrite-once = (
"^/(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/"
=> "index.html" )

Unfortunately, the 1.1.5 update from yesterday only partly closed the
hole (getting rid of the worst data loss trigger). After learning more
about the extent of the problem, we've now put together a 1.1.6
release that completely closes all elements of the hole (using the
same technique as the backports above).

So if you upgraded to 1.1.5 yesterday, you need to upgrade again. The
approach stays the same:

sudo gem install rails --include-dependencies

If you're running of trunk (also known as edge) using revision 4394 or
later, you're not affected by all this in any form.

We'll follow up with more information as it becomes available.
Needless to say, this is all the Rails core team is working on right
now and we've recruited a whole band of testers to help us play this
out. We'll make sure to evaluate all the feedback that's been coming
in and develop a policy for dealing with security issues in the
future. Thanks for your continued understanding.

We've also started #rails-security on Freenet for people with IRC
available to get and share more information.

If you're floating on gems (don't have vendor/rails), then make sure
you update RAILS_GEM_VERSION in your config/environment.rb. Otherwise
you'll still be bound to that earlier version of Rails even as you
install the new gems.


We continue to update http://weblog.rubyonrails.org/ with the latest
information as it becomes available.
--
David Heinemeier Hansson
http://www.loudthinking.com -- Broadcasting Brain
http://www.basecamphq.com -- Online project management
http://www.backpackit.com -- Personal information manager
http://www.rubyonrails.com -- Web-application framework
 
E

Ed Howland

David, what are the steps 3rd party engines need to do to fix their code?

Thanks
Ed

The cat is out of the bag, so here's the full disclosure edition of
the current security vulnerability. With Rails 1.1.0 through 1.1.5
(minus the short-lived 1.1.3), you can trigger the evaluation of Ruby
code through the URL because of a bug in the routing code of Rails.
This means that you can essentially take down a Rails process by
starting something like /script/profiler, as the code will run for a
long time and that process will be hung while it happens. Other URLs
can even cause data loss.

We've backported a fix to all the affected versions for those of you
that can't update. You'll have to apply the diff for your version:

* Patch for Rails 1.1.0:
http://www.rubyonrails.org/files/aug_10_security/rel_1-1-0.diff
* Patch for Rails 1.1.1:
http://www.rubyonrails.org/files/aug_10_security/rel_1-1-1.diff
* Patch for Rails 1.1.2:
http://www.rubyonrails.org/files/aug_10_security/rel_1-1-2.diff
* Patch for Rails 1.1.4:
http://www.rubyonrails.org/files/aug_10_security/rel_1-1-4.diff
* Patch for Rails 1.1.5: Upgrade to Rails 1.1.6.

These patches (and 1.1.6) will break applications using the 3rd party
engines idea. So if you can't upgrade because of dependencies to
those, you can also add the following URL blocking while engines are
being updated. Here's how to do it with mod_rewrite under Apache:

RewriteRule ^(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/
- [F]

Here's how to do it under lighttpd:

url.rewrite-once = (
"^/(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/"
=> "index.html" )

Unfortunately, the 1.1.5 update from yesterday only partly closed the
hole (getting rid of the worst data loss trigger). After learning more
about the extent of the problem, we've now put together a 1.1.6
release that completely closes all elements of the hole (using the
same technique as the backports above).

So if you upgraded to 1.1.5 yesterday, you need to upgrade again. The
approach stays the same:

sudo gem install rails --include-dependencies

If you're running of trunk (also known as edge) using revision 4394 or
later, you're not affected by all this in any form.

We'll follow up with more information as it becomes available.
Needless to say, this is all the Rails core team is working on right
now and we've recruited a whole band of testers to help us play this
out. We'll make sure to evaluate all the feedback that's been coming
in and develop a policy for dealing with security issues in the
future. Thanks for your continued understanding.

We've also started #rails-security on Freenet for people with IRC
available to get and share more information.

If you're floating on gems (don't have vendor/rails), then make sure
you update RAILS_GEM_VERSION in your config/environment.rb. Otherwise
you'll still be bound to that earlier version of Rails even as you
install the new gems.


We continue to update http://weblog.rubyonrails.org/ with the latest
information as it becomes available.
--
David Heinemeier Hansson
http://www.loudthinking.com -- Broadcasting Brain
http://www.basecamphq.com -- Online project management
http://www.backpackit.com -- Personal information manager
http://www.rubyonrails.com -- Web-application framework
 
G

gabriele renzi

David Heinemeier Hansson ha scritto:
The cat is out of the bag, so here's the full disclosure edition of
the current security vulnerability. With Rails 1.1.0 through 1.1.5
(minus the short-lived 1.1.3), you can trigger the evaluation of Ruby
code through the URL because of a bug in the routing code of Rails.
This means that you can essentially take down a Rails process by
starting something like /script/profiler, as the code will run for a
long time and that process will be hung while it happens. Other URLs
can even cause data loss.

it is nice to see this kind of quick feedback and bugfix, but I wonder
if this coulkd have been avoided from the start by using $SAFE, someone
has ever investigated if rails can be made to run with higher safe
levels than 0 ?
 
L

Leslie Viljoen

Here's how to do it under lighttpd:

url.rewrite-once = (
"^/(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/"
=> "index.html" )

Thanks a lot, especially for this virtually instant interim fix.

Les
 
E

Ed Howland

Expect an engines fix in the next few hours.

- james

James,

Thanks. I am working with Jeff Barczewski on Masterview Templates
which is a templating engine. It generally works with the 1.1.6 patch,
but they have special URL that goes to their Admin Console page. Jeff
confirmed that the 1.1.6 and 1.1.5 broke his routing.

He should have a workaround for it soon. It only affects the
development process. It should not affect any production code, AFAIK.

Ed
 
P

Peña, Botp

fr David:
# Sent: Friday, August 11, 2006 3:05 AM
# To: ruby-talk ML; (e-mail address removed);=20
# (e-mail address removed)
# Subject: [ANN] Rails 1.1.6: Stronger fix, backports, and full=20
# disclosure

just a small info.
on a test box w no app installed yet,

root@pc4all:~# gem install rails --include-dependencies
Need to update 19 gems from http://gems.rubyforge.org
...................
complete
Successfully installed rails-1.1.6
Successfully installed actionpack-1.12.5
Successfully installed actionmailer-1.2.5
Successfully installed actionwebservice-1.1.6
Installing ri documentation for actionpack-1.12.5...
While generating documentation for actionpack-1.12.5
... MESSAGE: Unhandled special: Special: type=3D17, text=3D"<!-- The =
header part of this layout -->"
... RDOC args: --ri --op =
/usr/local/lib/ruby/gems/1.8/doc/actionpack-1.12.5/ri --quiet lib
(continuing with the rest of the installation)
Installing ri documentation for actionmailer-1.2.5...
Installing ri documentation for actionwebservice-1.1.6...
Installing RDoc documentation for actionpack-1.12.5...
Installing RDoc documentation for actionmailer-1.2.5...
Installing RDoc documentation for actionwebservice-1.1.6...
root@pc4all:~#

thanks for rails.
-botp
 
E

Ed Howland

just a small info.
on a test box w no app installed yet,

root@pc4all:~# gem install rails --include-dependencies
Need to update 19 gems from http://gems.rubyforge.org
...................
complete
Successfully installed rails-1.1.6
Successfully installed actionpack-1.12.5
Successfully installed actionmailer-1.2.5
Successfully installed actionwebservice-1.1.6
Installing ri documentation for actionpack-1.12.5...
While generating documentation for actionpack-1.12.5
... MESSAGE: Unhandled special: Special: type=3D17, text=3D"<!-- The he= ader part of this layout -->"
... RDOC args: --ri --op /usr/local/lib/ruby/gems/1.8/doc/actionpack-1.12= 5/ri --quiet lib
(continuing with the rest of the installation)
Installing ri documentation for actionmailer-1.2.5...
Installing ri documentation for actionwebservice-1.1.6...
Installing RDoc documentation for actionpack-1.12.5...
Installing RDoc documentation for actionmailer-1.2.5...
Installing RDoc documentation for actionwebservice-1.1.6...

I got that as well, but it didn't seem to break anything. Maybe my
local documentation is broken, but I use the web api one anyway.

Ed

--=20
Ed Howland
http://greenprogrammer.blogspot.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,780
Messages
2,569,611
Members
45,284
Latest member
NicholeDum

Latest Threads

Top