Rails 今天发布了紧急安全更新版本,分别是 3.2.18、4.0.5 和 4.1.1,这三个版本修复了同一个安全问题:CVE-2014-0130
请 Rails 用户尽快升级!
该漏洞详细说明:
The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.
In order to be vulnerable an application must specifically use globbing routes[1] in combination with the :action parameter. The purpose of the route globbing feature is to allow parameters to contain characters which would otherwise be regarded as separators, for example '/' and '.'. As these characters have semantic meaning within template filenames, it is highly unlikely that applications are deliberately combining these functions.
To determine if you are vulnerable, search your application's routes files for '*action' and if you find any, use one of the work arounds below.
最简单的解决方法是不对 :action 参数使用 globbing 匹配,action 方法不能包含 / 字符,这样处理就已足够,所以请替换:
get 'my_url/*action', controller: 'asdf'
为
get 'my_url/:action', controller: 'asdf'
如果你的应用依赖于这个方法,你需要重命名 route 参数,并添加一个显式的 action:
get 'my_url/*template_path', controller: 'asdf', action: 'display'
然后显式添加带渲染器的 action
def display
if !params[:template_path].index('.')
render file: params[:template_path]
end
end
项目主页:http://rubyonrails.org/
下载地址:http://rubyonrails.org/download/
来自:开源中国社区
