Yesterday Rails core team announced the release of Rails 1.1.5 version which supposedly fixes a major security vulnerability. Unfortunately, they didn't disclose what the actual problem was. I don't know about you, but I find it an appropriate and very frustrating. I'm a sys admin of a commercial web site and I must know what kind of problem I'm facing.
What even more frustrating is that 1.1.5 release introduced another huge security vulnerability. Just enter URL in your browser consisting a name of any standard Ruby library and your rails application will happily load this library. For example, if you want to bring down any web site powered by Rails 1.1.5, just run this:
# wget http://<your-website>/debug
several times. This URL makes Rails to load the standard debug.rb library which halts dispatcher process waiting for a terminal input.
I hope the next time rails core team will be more open about security threats. An extra pair of eyes wouldn't hurt with the patch evaluation.
Below is the patch that fixes this hole in Rails 1.1.5:
Index: actionpack/lib/action_controller/routing.rb
===================================================================
--- actionpack/lib/action_controller/routing.rb (revision 4745)
+++ actionpack/lib/action_controller/routing.rb (working copy)
@@ -270,10 +270,11 @@
protected
def safe_load_paths #:nodoc:
if defined?(RAILS_ROOT)
+ extended_root = Regexp.escape(File.expand_path(RAILS_ROOT))
$LOAD_PATH.select do |base|
base = File.expand_path(base)
extended_root = File.expand_path(RAILS_ROOT)
- base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}
+ base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) * '|'})/) || base =~ %r{rails-[\d.]+/builtin}
end
else
$LOAD_PATH
