Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509706 (CVE-2014-0130) - <dev-ruby/rails-{3.2.18,4.0.5,4.1.1}: Directory Traversal Vulnerability With Certain Route Configurations (CVE-2014-0130)
Summary: <dev-ruby/rails-{3.2.18,4.0.5,4.1.1}: Directory Traversal Vulnerability With ...
Status: RESOLVED FIXED
Alias: CVE-2014-0130
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-06 18:00 UTC by Hans de Graaff
Modified: 2014-05-15 01:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2014-05-06 18:00:59 UTC
There is a vulnerability in the 'implicit render' functionality in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0130.

Versions Affected:  All Supported
Not affected:       None
Fixed Versions:     4.1.1, 4.0.5, 3.2.18

Impact
------
The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name.  This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.

In order to be vulnerable an application must specifically use globbing routes[1] in combination with the :action parameter.  The purpose of the route globbing feature is to allow parameters to contain characters which would otherwise be regarded as separators, for example '/' and '.'.  As these characters have semantic meaning within template filenames, it is highly unlikely that applications are deliberately combining these functions.

To determine if you are vulnerable, search your application's routes files for '*action' and if you find any, use one of the work arounds below.

Releases
--------
The 4.1.1, 4.0.5 and 3.2.18 releases are available at the normal locations.

Workarounds
-----------
The simplest workaround is to simply not use globbing matches for the :action parameter.  As action methods cannot contain a '/' character, the simple matching should be sufficient. So replace

  get 'my_url/*action', controller: 'asdf'

with

  get 'my_url/:action', controller: 'asdf'

If your application depends on this functionality, you will need to rename the route parameter and add an explicit action:

  get 'my_url/*template_path', controller: 'asdf', action: 'display'

Then add an action which renders explicitly:

  def display
    if !params[:template_path].index('.')
      render file: params[:template_path]
    end
  end

Note: The path check in this example may not be suitable for your application, take care
Comment 1 Hans de Graaff gentoo-dev Security 2014-05-06 20:01:56 UTC
Rails 3.2.18, 4.0.5, and 4.1.1 are now in the tree.
Comment 2 Hans de Graaff gentoo-dev Security 2014-05-07 11:09:20 UTC
Upstream amended the advisory:

"An earlier version of this advisory incorrectly assumed that the only way to trigger this vulnerability was with routes containing '*action'.  There are additional attack vectors and as a result *all* users are advised to upgrade to a fixed version as soon as possible."
Comment 3 Hans de Graaff gentoo-dev Security 2014-05-12 19:03:30 UTC
Vulnerable versions have been removed.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-05-15 01:42:46 UTC
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.