BCC has reported a vulnerability in Ruby on Rails, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to the "to_json" function is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is reported in version 1.2.3. Other versions may also be affected.
Fixed in the SVN repository (Changeset 6893/6894).
setting status and cc'ing herd. ruby, please advise.
This is affecting dev-ruby/activesupport specifically.
Currently, we package rails and company from gem files. The issue here is that we don't really have much room to patch, without mangling the gem, and reassembling it. I poked around at doing that before, but didn't have much luck with reassembling.
Another approach would be to switch to source, and do 'rake gem' to generate the gem as upstream would do. The only issue here is that the tgz download for activesupport doesn't actually include the Rakefile needed to do that kind of thing. To get around that, theoretically, should be able to take a svn 'snapshot' of the 1.2.3 release tag, and go from there.
I haven't seen any mention of this bug on the rails-core mailing list, nor on the rails mailing list. So while it is considered a bug, upstream doesn't really seem to consider it a security issue. Last time there was a security issue the Rails team was pretty quick in releasing a new version. That's not to say we shouldn't fix this, but the sense of urgency seems to be low.
Original bug report here: http://dev.rubyonrails.org/ticket/8371
The patch also won't apply to 1.4.2, because they've restructured the code in that area.
Seems like it would be best to wait for upstream. ruby please comment once a fix has been released.
According to http://dev.rubyonrails.org/ticket/8371, bug has been fixed upstream.
In the meanwhile, version 1.3.1 seems stable on all arches. Is this fixed in this versions so we can move directly to the glsa vote? Ruby, please advise.
version 1.2.3 refers to rails itself. The version of activesupport that was released for that version was 1.4.2, they still haven't released a fixed version.
Rails 1.2.4 just got released that allegedly fixes this issue:
* Changed the JSON encoding algorithms to avoid otential XSS issues when using ActiveRecord::Base#to_json
ruby, please advise.
Rails 1.2.4 is now in the tree, but I would prefer to wait at least a week before starting to make it stable and thus resolve this security bug. Breaking people's web services seems to be worse than fixing this bug one week sooner.
Rails 1.2.4 fixes more security issues than just the JSON problem, see bug #195315
Hans, is it ready for stable marking now?
We should be marking rails 1.2.5 stable, and this is tracked in #195315. We should probably close this bug and track the issue on the Rails 1.2.5 bug. My current plan is to ask for stabilization of 1.2.5 on Monday morning unless something comes up in the meantime.
*** This bug has been marked as a duplicate of bug 195315 ***
Please don't close security bugs, even if they might be redundant. We need them open to handle advisories.
GLSA 200711-17, sorry for the delay.