Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 247549 - <dev-ruby/rails-2.2.2: Potential Circumvention of CSRF Protection (CVE-2008-7248)
Summary: <dev-ruby/rails-2.2.2: Potential Circumvention of CSRF Protection (CVE-2008-7...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2008/11...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-19 08:54 UTC by Hans de Graaff
Modified: 2009-12-20 12:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2008-11-19 08:54:48 UTC
There is a bug in all 2.1.x versions of Ruby on Rails which affects
the effectiveness of the CSRF protection given by
protect_from_forgery.

By design rails does not does not perform token verification on
requests with certain content types not typically generated by
browsers.  Unfortunately this list also included 'text/plain' which
can be generated by browsers.

Impact
======

Requests can be crafted which will circumvent the CSRF protection
entirely.  Rails does not parse the parameters provided with these
requests, but that may not be enough to protect your application.

Affected Versions
======

* All releases in the 2.1 series
* All 2.2 Pre Releases

Fixes
======

* 2.1.3 and 2.2.2 will contain a fix for this issue.

Interim Workarounds
======

Users of 2.1.x releases are advised to insert the following code into
a file in config/initializers/

  Mime::Type.unverifiable_types.delete(:text)

Users of Edge Rails after 2.2.1, should upgrade to the latest code in
2-2-stable.

The patch for the 2.1.x series is available at:

http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a

This will also apply cleanly to 2.2 pre-releases prior to the
following changeset:

commit f1ad8b48aae3ee26613b3e77bc0056e120096846
Author: Michael Koziarski <michael@koziarski.com>
Date:   Thu Nov 13 11:19:53 2008 +0100

Users with edge-rails checkouts after that date, are advised to
upgrade to the latest code in 2-2-stable.
Comment 1 Hans de Graaff gentoo-dev Security 2008-11-19 08:57:04 UTC
Not that Rails 2.2. which is also mentioned in the bug report, is not in the tree yet, we'll wait until the fixed 2.2.2 release has come out.

My proposal for Rails 2.1.3 is to wait until that version is out, unless this will take too long.

It is not clear to me at this point if Rails 1.2.6 and Rails 2.0.5 (which we have in the tree) are also affected.
Comment 2 Azamat H. Hackimov 2008-11-26 16:55:15 UTC
rails-2.2.2 released - see #248915
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-11 18:54:49 UTC
Well, rails-2.2.2 is now stable, so time for GLSA decision. I vote NO.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-11 19:00:57 UTC
NO, too.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-11 19:07:48 UTC
mmh, actually we'll have a GLSA combined with #237385
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-14 15:41:06 UTC
I revbumped the 2.1 slot to fix this, as there is no 2.1.3 release in sight.

Arches, please be so kind and mark dev-ruby/actionpack-2.1.2-r1 stable.
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-03-15 12:50:33 UTC
ppc64 done
Comment 8 Markus Meier gentoo-dev 2009-03-15 15:06:47 UTC
amd64/x86 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-03-18 22:29:01 UTC
ppc done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-03-25 14:55:31 UTC
ia64/sparc stable
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:29:20 UTC
CVE-2008-7248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7248):
  Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify
  tokens for requests with certain content types, which allows remote
  attackers to bypass cross-site request forgery (CSRF) protection for
  requests to applications that rely on this protection, as
  demonstrated using text/plain.

Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-20 12:11:57 UTC
GLSA 200912-02