Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 247549

Summary: <dev-ruby/rails-2.2.2: Potential Circumvention of CSRF Protection (CVE-2008-7248)
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: azamat.hackimov, ruby
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev 2008-11-19 08:54:48 UTC
There is a bug in all 2.1.x versions of Ruby on Rails which affects
the effectiveness of the CSRF protection given by

By design rails does not does not perform token verification on
requests with certain content types not typically generated by
browsers.  Unfortunately this list also included 'text/plain' which
can be generated by browsers.


Requests can be crafted which will circumvent the CSRF protection
entirely.  Rails does not parse the parameters provided with these
requests, but that may not be enough to protect your application.

Affected Versions

* All releases in the 2.1 series
* All 2.2 Pre Releases


* 2.1.3 and 2.2.2 will contain a fix for this issue.

Interim Workarounds

Users of 2.1.x releases are advised to insert the following code into
a file in config/initializers/


Users of Edge Rails after 2.2.1, should upgrade to the latest code in

The patch for the 2.1.x series is available at:

This will also apply cleanly to 2.2 pre-releases prior to the
following changeset:

commit f1ad8b48aae3ee26613b3e77bc0056e120096846
Author: Michael Koziarski <>
Date:   Thu Nov 13 11:19:53 2008 +0100

Users with edge-rails checkouts after that date, are advised to
upgrade to the latest code in 2-2-stable.
Comment 1 Hans de Graaff gentoo-dev 2008-11-19 08:57:04 UTC
Not that Rails 2.2. which is also mentioned in the bug report, is not in the tree yet, we'll wait until the fixed 2.2.2 release has come out.

My proposal for Rails 2.1.3 is to wait until that version is out, unless this will take too long.

It is not clear to me at this point if Rails 1.2.6 and Rails 2.0.5 (which we have in the tree) are also affected.
Comment 2 Azamat H. Hackimov 2008-11-26 16:55:15 UTC
rails-2.2.2 released - see #248915
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-11 18:54:49 UTC
Well, rails-2.2.2 is now stable, so time for GLSA decision. I vote NO.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-11 19:00:57 UTC
NO, too.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-11 19:07:48 UTC
mmh, actually we'll have a GLSA combined with #237385
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-14 15:41:06 UTC
I revbumped the 2.1 slot to fix this, as there is no 2.1.3 release in sight.

Arches, please be so kind and mark dev-ruby/actionpack-2.1.2-r1 stable.
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-03-15 12:50:33 UTC
ppc64 done
Comment 8 Markus Meier gentoo-dev 2009-03-15 15:06:47 UTC
amd64/x86 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-03-18 22:29:01 UTC
ppc done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-03-25 14:55:31 UTC
ia64/sparc stable
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:29:20 UTC
CVE-2008-7248 (
  Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify
  tokens for requests with certain content types, which allows remote
  attackers to bypass cross-site request forgery (CSRF) protection for
  requests to applications that rely on this protection, as
  demonstrated using text/plain.

Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-20 12:11:57 UTC
GLSA 200912-02