Evan on 10 Aug 2006 09:37:26 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PhillyOnRails] Any news on whats what with 1.1.5?


Mystery pretty much solved, so you can make an informed decision
regarding what to do about this fiasco:
http://blog.evanweaver.com/articles/2006/08/10/explanation-of-the-rails-security-vulnerability-in-1-1-4-others

Evan

On 8/9/06, Evan <eweaver@gmail.com> wrote:
It could possibly be related to these lines:

diff -r old/rails/vendor/rails/actionpack/lib/action_controller/routing.rb
new/rails/vendor/rails/actionpack/lib/action_controller/routing.rb
221c221,225
<
---
>
>         def file_kinds(kind)
>           ((@file_kinds ||= []) << kind).uniq! || @file_kinds
>         end
>
230a235
>             file_kinds :app
271c276
<               base[0, extended_root.length] == extended_root || base
=~ %r{rails-[\d.]+/builtin}
---
>               base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}

But I don't know what it might be in specific (the new version is
marked by the > sign).

Evan

PS. A diff of 1.1.4 and 1.1.5, minus the /doc directory and other
things unlikely to be relevant, is here:
http://blog.evanweaver.com/files/diff.txt .

On 8/9/06, Aaron Blohowiak <aaron@aaronblohowiak.com> wrote:
>
> Security issue, not something "broken" as in stopped functioning when
> functioned previously.
>
> If you live on edge, you are actually safe from this flaw.
>
> ALWAYS TEST before you go live with a new version of rails. Though they
> claim this is a drop-in, it isnt. It kills some rails apps that use certain
> plugins. Hit up #rubyonrails on freenode until this gets sorted out.
>
>
> Aaron Blohowiak
>
>
> On Aug 9, 2006, at 2:55 PM, Mike Zornek wrote:
>
> http://weblog.rubyonrails.com/2006/8/9/rails-1-1-5-mandatory-security-patch-
> and-other-tidbits
>
>
> This is a MANDATORY upgrade for anyone not running on a very recent edge
> (which isn't affected by this). If you have a public Rails site, you MUST
> upgrade to Rails 1.1.5. The security issue is severe and you do not want to
> be
> caught unpatched.
>
> The issue is in fact of such a criticality that we're not going to dig into
> the specifics. No need to arm would-be assalients.
>
> I'm not really a fan of the fearful release note as seen above. I know some
> Philly on Rails people live on edge. Anyone want to go in to detail on what
> was actually broken? And how it was fixed?
>
> ~ Mike
> --
> Work: http://ClickableBliss.com
> Play: http://MikeZornek.com
>
>
> _______________________________________________
> talk mailing list
> talk@phillyonrails.org
> http://lists.phillyonrails.org/mailman/listinfo/talk
>
>
>
> _______________________________________________
> talk mailing list
> talk@phillyonrails.org
> http://lists.phillyonrails.org/mailman/listinfo/talk
>
>
>


-- Evan Weaver University of Delaware



--
Evan Weaver
University of Delaware
_______________________________________________
talk mailing list
talk@phillyonrails.org
http://lists.phillyonrails.org/mailman/listinfo/talk