in Rails

Multiple annoyances with Rails (more than one security issue)

There have been a number of issues with Rails popping up yesterday and today. First there was the announcement that Rails 1.1.4 had a security issue. Discussions emerged on why the core team did not disclose the details of the vulnerability. Evan Weaver had a quick look at the diff between 1.1.4 and 1.1.5 and described the problem:

It looks like, for example, that if your Rails installation is in /www/rails/, passing a string such as /www/rails/../../tmp/ would pass the old validation, and if you had managed to upload a file such as hax_controller.rb to /tmp/, a route request to /hax/ would force Rails to run your arbitrary code.

Nice. I updated a sample app to 1.1.5 and though I was safe until I read this discussion over at Ruby Forum:

One more for 1.1.5:
Two subsequent calls:

…put server to errors “SystemStackError (stack level too deep)”
constantly for all further requests.

Nice. I guess this is part of life for early adopters of new frameworks. Hopefully the community will be able to resolve these issues quickly.

  1. The scary part is that it can run your schema.rb file, which will drop all your tables and re create them.

  2. Ohhhhhh…. I had clues that there was an issue like that, but I use a pure SQL schema in all my apps because I use a visual database modeler instead of migrations, so it never occurred to me that there would be such a “bomb” laying around on people’s systems.

  3. I have also used a visual creator for such a thing. But just because you use a visual database modeler, doesn’t mean someone couldn’t somehow slip something into the right directory using a long-lined script, and then execute that. I’m glad things got handled timely. It goes to show how young rails truly is still and how we must be cautious when and where we use it without setting up the right alarms, and by alarms, I mean the equivalent of the concept of checksums in ASM. Checking to make sure everything is operating even when we’re not around…

    – ben @

Comments are closed.