Re: [PhillyOnRails] Any news on whats what with 1.1.5?

Evan on 10 Aug 2006 09:37:26 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PhillyOnRails] Any news on whats what with 1.1.5?

From: Evan <eweaver@gmail.com>

To: talk@phillyonrails.org

Subject: Re: [PhillyOnRails] Any news on whats what with 1.1.5?

Date: Thu, 10 Aug 2006 05:36:53 -0400

List-archive: <http://lists.phillyonrails.org/pipermail/talk>

Reply-to: talk@phillyonrails.org

Sender: talk-bounces@phillyonrails.org

Mystery pretty much solved, so you can make an informed decision regarding what to do about this fiasco: http://blog.evanweaver.com/articles/2006/08/10/explanation-of-the-rails-security-vulnerability-in-1-1-4-others

Evan

On 8/9/06, Evan <eweaver@gmail.com> wrote:
It could possibly be related to these lines:

diff -r old/rails/vendor/rails/actionpack/lib/action_controller/routing.rb new/rails/vendor/rails/actionpack/lib/action_controller/routing.rb 221c221,225 < --- > > def file_kinds(kind) > ((@file_kinds ||= []) << kind).uniq! || @file_kinds > end > 230a235 > file_kinds :app 271c276 < base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin} --- > base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}

But I don't know what it might be in specific (the new version is marked by the > sign).

Evan

PS. A diff of 1.1.4 and 1.1.5, minus the /doc directory and other things unlikely to be relevant, is here: http://blog.evanweaver.com/files/diff.txt .

On 8/9/06, Aaron Blohowiak <aaron@aaronblohowiak.com> wrote: > > Security issue, not something "broken" as in stopped functioning when > functioned previously. > > If you live on edge, you are actually safe from this flaw. > > ALWAYS TEST before you go live with a new version of rails. Though they > claim this is a drop-in, it isnt. It kills some rails apps that use certain > plugins. Hit up #rubyonrails on freenode until this gets sorted out. > > > Aaron Blohowiak > > > On Aug 9, 2006, at 2:55 PM, Mike Zornek wrote: > > http://weblog.rubyonrails.com/2006/8/9/rails-1-1-5-mandatory-security-patch- > and-other-tidbits > > > This is a MANDATORY upgrade for anyone not running on a very recent edge > (which isn't affected by this). If you have a public Rails site, you MUST > upgrade to Rails 1.1.5. The security issue is severe and you do not want to > be > caught unpatched. > > The issue is in fact of such a criticality that we're not going to dig into > the specifics. No need to arm would-be assalients. > > I'm not really a fan of the fearful release note as seen above. I know some > Philly on Rails people live on edge. Anyone want to go in to detail on what > was actually broken? And how it was fixed? > > ~ Mike > -- > Work: http://ClickableBliss.com > Play: http://MikeZornek.com > > > _______________________________________________ > talk mailing list > talk@phillyonrails.org > http://lists.phillyonrails.org/mailman/listinfo/talk > > > > _______________________________________________ > talk mailing list > talk@phillyonrails.org > http://lists.phillyonrails.org/mailman/listinfo/talk > > >

-- Evan Weaver University of Delaware

-- Evan Weaver University of Delaware _______________________________________________ talk mailing list talk@phillyonrails.org http://lists.phillyonrails.org/mailman/listinfo/talk

References:

[PhillyOnRails] Any news on whats what with 1.1.5?
From: Mike Zornek <mikezornek@mikezornek.com>

Re: [PhillyOnRails] Any news on whats what with 1.1.5?
From: Aaron Blohowiak <aaron@aaronblohowiak.com>

Re: [PhillyOnRails] Any news on whats what with 1.1.5?
From: Evan <eweaver@gmail.com>

Prev by Date: Re: [PhillyOnRails] Any news on whats what with 1.1.5?

Next by Date: [PhillyOnRails] OT: Network Shares + OS X

Previous by thread: Re: [PhillyOnRails] Any news on whats what with 1.1.5?

Next by thread: [PhillyOnRails] OT: Network Shares + OS X

Index(es):

Date

Thread