Thursday, April 7, 2011

Rails 3.0.6 has been released!

Hi everybody! Rails 3.0.6 has been released!
Let's get the serious business out of the way first:

Rails 3.0.6 contains an important security fix! Please upgrade!

Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The vulnerability manifests itself via the auto_link method. The auto_link method will automatically mark input strings as "html safe" even if the input is from an unknown origin.
For example:
<%= auto_link(params[:content]) %>
If the "content" parameter contains malicious javascript, that script will be rendered without being escaped.

How can I protect myself?

  • Upgrade to Rails 3.0.6, then content passed to auto_link will be automatically escaped for you.
  • If you cannot upgrade Rails, then apply the patch found here. Then auto_link content will be escaped for you.
  • If you cannot upgrade Rails, or apply the patch, then change your calls to auto_link to call sanitize like so:
    <%= sanitize(auto_link(params[:content])) %>
    If you trust the input, then change to this
    <%= raw(auto_link(params[:content])) %>

Credits

Thanks go to Torben Schulz for reporting this issue!

1 comments:

cp said...

I agreed with the ideas and version that can be provided in these post and its really wonderful for the use.
----------
Ruby on Rails Development | ROR Development

Post a Comment