Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1232310 - (CVE-2015-3226) CVE-2015-3226 rubygem-activesupport: XSS Vulnerability in ActiveSupport::JSON.encode
CVE-2015-3226 rubygem-activesupport: XSS Vulnerability in ActiveSupport::JSON...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150616,repor...
: Security
Depends On: 1249056 1249055 1249057 1249059 1249060
Blocks: 1232306 1232311
  Show dependency treegraph
 
Reported: 2015-06-16 09:11 EDT by Vasyl Kaigorodov
Modified: 2015-07-31 08:52 EDT (History)
27 users (show)

See Also:
Fixed In Version: rubygem-activesupport-4.2.2, rubygem-activesupport-4.1.11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-31 08:52:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch for ActiveSupport 4.1 (1.77 KB, application/mbox)
2015-07-31 08:39 EDT, Ján Rusnačko 		no flags Details
Patch for ActiveSupport 4.2 (1.77 KB, application/mbox)
2015-07-31 08:39 EDT, Ján Rusnačko 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vasyl Kaigorodov 2015-06-16 09:11:33 EDT 
There is an XSS vulnerability in the ActiveSupport::JSON.encode method in Ruby on Rails.

When a `Hash` containing user-controlled data is encode as JSON (either through
`Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
escaping that matches the guarantee implied by the `escape_html_entities_in_json`
option (which is enabled by default). If this resulting JSON string is subsequently
inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

For example, the following code snippet is vulnerable to this attack:

    <%= javascript_tag "var data = #{user_supplied_data.to_json};" %>

Similarly, the following is also vulnerable:

    <script>
      var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
    </script>

Workarounds
-----------
To work around this problem add an initializer with the following code:

    module ActiveSupport
      module JSON
        module Encoding
          private
          class EscapedString
            def to_s
              self
            end
          end
        end
      end
    end

Attached patches resolve this issue.

Acknowledgements:

Red Hat would like to thank Ruby upstream developers for reporting this issue. Upstream acknowledges Francois Chagnon of Shopify as the original reporter.
Comment 1 Kurt Seifried 2015-06-16 15:38:52 EDT 
This is now public:

http://seclists.org/oss-sec/2015/q2/732
Comment 2 Ján Rusnačko 2015-07-31 08:39:20 EDT 
Created attachment 1058043 [details]
Patch for ActiveSupport 4.1
Comment 3 Ján Rusnačko 2015-07-31 08:39:38 EDT 
Created attachment 1058044 [details]
Patch for ActiveSupport 4.2
Comment 6 Ján Rusnačko 2015-07-31 08:45:54 EDT 
Created rubygem-activesupport tracking bugs for this issue:

Affects: fedora-all [bug 1249055]
Affects: epel-all [bug 1249056]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.