Security in JRuby

headius edited this page Jan 9, 2012 · 1 revision
Clone this wiki locally

For now this aggregates some links to security information and a few FAQs.

FAQs

JRuby versions prior to 1.6.5.1 are affected. JRuby 1.6.5.1 includes a patch to randomize the hash value for String, making this much harder to exploit. Thomas Enebo explained the DOS and fix in more detail at Special JRuby Release 1.6.5.1.

JRuby 1.7 will also include a method that allows you to get the non-seeded hash, for applications that would like a fast String#hash that is predictable. It uses murmurhash with an initial seed hash of 0.

require 'jruby/util'
puts 'foo'.hash, 'foo'.unseeded_hash

Run twice:

system ~/projects/jruby $ jruby unseeded_hash.rb 
265581630
-1880464523

system ~/projects/jruby $ jruby unseeded_hash.rb 
1788498603
-1880464523