There is a bug in all 2.1.x versions of Ruby on Rails which affects the effectiveness of the CSRF protection given by protect_from_forgery. By design rails does not does not perform token verification on requests with certain content types not typically generated by browsers. Unfortunately this list also included 'text/plain' which can be generated by browsers. Impact ====== Requests can be crafted which will circumvent the CSRF protection entirely. Rails does not parse the parameters provided with these requests, but that may not be enough to protect your application. Affected Versions ====== * All releases in the 2.1 series * All 2.2 Pre Releases Fixes ====== * 2.1.3 and 2.2.2 will contain a fix for this issue. Interim Workarounds ====== Users of 2.1.x releases are advised to insert the following code into a file in config/initializers/ Mime::Type.unverifiable_types.delete(:text) Users of Edge Rails after 2.2.1, should upgrade to the latest code in 2-2-stable. The patch for the 2.1.x series is available at: http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a This will also apply cleanly to 2.2 pre-releases prior to the following changeset: commit f1ad8b48aae3ee26613b3e77bc0056e120096846 Author: Michael Koziarski <michael@koziarski.com> Date: Thu Nov 13 11:19:53 2008 +0100 Users with edge-rails checkouts after that date, are advised to upgrade to the latest code in 2-2-stable.
Not that Rails 2.2. which is also mentioned in the bug report, is not in the tree yet, we'll wait until the fixed 2.2.2 release has come out. My proposal for Rails 2.1.3 is to wait until that version is out, unless this will take too long. It is not clear to me at this point if Rails 1.2.6 and Rails 2.0.5 (which we have in the tree) are also affected.
rails-2.2.2 released - see #248915
Well, rails-2.2.2 is now stable, so time for GLSA decision. I vote NO.
NO, too.
mmh, actually we'll have a GLSA combined with #237385
I revbumped the 2.1 slot to fix this, as there is no 2.1.3 release in sight. Arches, please be so kind and mark dev-ruby/actionpack-2.1.2-r1 stable.
ppc64 done
amd64/x86 stable
ppc done
ia64/sparc stable
CVE-2008-7248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7248): Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
GLSA 200912-02