Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1128508 Details for
Bug 1310054
CVE-2016-2098 rubygem-actionview, rubygem-actionpack: code injection vulnerability in Action View
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Upstream patch
3-2-secure_inline_with_params.patch (text/plain), 2.29 KB, created by
Adam Mariš
on 2016-02-19 10:41:23 UTC
(
hide
)
Description:
Upstream patch
Filename:
MIME Type:
Creator:
Adam Mariš
Created:
2016-02-19 10:41:23 UTC
Size:
2.29 KB
patch
obsolete
>From 9fb9eddacd679ee63414e909aa9bcf9039795986 Mon Sep 17 00:00:00 2001 >From: Arthur Neves <arthurnn@gmail.com> >Date: Tue, 2 Feb 2016 12:44:13 -0500 >Subject: [PATCH] Don't allow calls to render passing params. > >We should not allow something like `render params[:id]` if the :id is an >Hash. >That could be problematic, because an attacker could pass a hash with an >inline key which rails would assume is a render inline: "" type, and >would execute that code given, allowing remove code injention. >--- > actionpack/lib/abstract_controller/rendering.rb | 2 ++ > actionpack/test/controller/render_test.rb | 18 ++++++++++++------ > 2 files changed, 14 insertions(+), 6 deletions(-) > >diff --git a/actionpack/lib/abstract_controller/rendering.rb b/actionpack/lib/abstract_controller/rendering.rb >index f74fd6a..0e92a59 100644 >--- a/actionpack/lib/abstract_controller/rendering.rb >+++ b/actionpack/lib/abstract_controller/rendering.rb >@@ -142,6 +142,8 @@ module AbstractController > # :api: plugin > def _normalize_args(action=nil, options={}) > case action >+ when HashWithIndifferentAccess >+ raise ArgumentError, "render parameters are not permitted" > when NilClass > when Hash > options = action >diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb >index 3555232..2440bf2 100644 >--- a/actionpack/test/controller/render_test.rb >+++ b/actionpack/test/controller/render_test.rb >@@ -272,12 +272,6 @@ class TestController < ActionController::Base > end > end > >- def test_dynamic_render_file_hash >- assert_raises ArgumentError do >- get :dynamic_render, { :id => { :file => '../\\../test/abstract_unit.rb' } } >- end >- end >- > def accessing_controller_name_in_template > render :inline => "<%= controller_name %>" > end >@@ -781,6 +775,18 @@ class RenderTest < ActionController::TestCase > @request.host = "www.nextangle.com" > end > >+ def test_dynamic_render_file_hash >+ assert_raises ArgumentError do >+ get :dynamic_render, { :id => { :file => '../\\../test/abstract_unit.rb' } } >+ end >+ end >+ >+ def test_dynamic_inline >+ assert_raises ArgumentError do >+ get :dynamic_render, { id: { inline: '<%= RUBY_VERSION %>' } } >+ end >+ end >+ > # :ported: > def test_simple_show > get :hello_world >-- >2.5.4 (Apple Git-61) >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1128508">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1310054
:
1128508
|
1131939
|
1131942
|
1131943