Strip [nil] from parameters hash #6580

Closed
wants to merge 1 commit into
from

Projects

None yet

4 participants

@sebbacon

CVE-2012-2660

But is this branch now officially closed?

@rafaelfranca
Ruby on Rails member

I don't think that we will do another release. But I think that we can merge this in the 2-3-stable branch.

cc/ @tenderlove @jeremy

@boone

I just tried to fix this on my own and then found your pull request.

Any reason you put the call to deep_munge inside normalize_parameters instead of overriding parse_query like it was done in the 3.0 patch? Your tests pass. I basically copied the 3.0 patch including overriding parse_query and that passes too (boone@672933f). I'm afraid I haven't had time to study the Rack code to see if the difference is significant.

@boone

@sebbacon I created a monkey patch based on your code. I ran into errors trying to monkey patch the parse_query method but your way seems to work.

https://gist.github.com/2854095

It would be great to see your patch merged into the stable branch and maybe's its a good reason for one last point release. The stable branch has a few other post-2.3.14 changes anyway.

Thanks everyone.

@homakov

stripping from [nil] is not a solution from those vulnerabilites, you need strip them all

@sebbacon

@boone, there may be better ways of doing it, but I've made the assumption that mine is Good Enough given that it causes the tests to pass.

@boone

@homakov these fixes are based on the same code that fixed the vulnerability in Rails 3.x. If it is a flawed solution for all of Rails, you should probably open a new issue. This pull request will probably be ignored by most people as it applies to Rails 2.3.

@sebbacon you're right, the tests are passing. I'm going to run with it for now. Thanks!

@homakov

current PR is out of date. you should either update it with current working solution(we patched AR and used compact!) either close :)

@sebbacon

OK - got a link to the current working solution please?

@rafaelfranca
Ruby on Rails member

2.3 is no longer supported, we publish patches as possible but will no longer make releases and no longer guarantee fixes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment