Skip to content
Browse files

Don't symbolize tainted data.

`I18n.locale=` symbolizes its argument, so passing it `params[:locale]`
allows one to DOS your application by visiting `...?locale=` URLS
repeatedly, with unique values, until the never-GCed symbols monopolize
the available memory.
  • Loading branch information...
1 parent b12c1b8 commit ec0664a6eb8906fcd31a53a1efad69bdc7fe6f5b @devlinzed devlinzed committed Feb 11, 2014
Showing with 5 additions and 1 deletion.
  1. +5 −1 guides/source/i18n.md
View
6 guides/source/i18n.md
@@ -145,7 +145,11 @@ The _setting part_ is easy. You can set the locale in a `before_action` in the `
before_action :set_locale
def set_locale
- I18n.locale = params[:locale] || I18n.default_locale
+ if %w[en fr].include?(params[:locale])
+ I18n.locale = params[:locale]
+ else
+ I18n.locale = I18n.default_locale
+ end
end
```

7 comments on commit ec0664a

@jordimassaguerpla

This is a security issue. Are we going to see a rails update in the next days? Is there a CVE?

@carlosantoniodasilva
Ruby on Rails member

This doc change has been reverted as I18n already takes care of validating the locales, and was already released with latest Rails versions. Just make sure you have an updated I18n gem.

@jordimassaguerpla

we are talking about CVE-2013-4492, right?

@rafaelfranca
Ruby on Rails member

No. This CVE is about something else. I think this i18n change doesn't have any CVE assigned.

@jordimassaguerpla

do you know which commits are the fixes in i18n?

@rafaelfranca
Ruby on Rails member
Please sign in to comment.
Something went wrong with that request. Please try again.