Sinatra or sinatra-contrib has to do path traversal prevention #310

Closed
rkh opened this Issue Jun 25, 2011 · 7 comments

Projects

None yet

3 participants

@rkh
Member
rkh commented Jun 25, 2011

Sinatra 1.3 will follow RFC 2616 for matching patterns to URLs. This introduces a path traversal vulnerability in all applications that use params directly in rendering methods (like erb(params[:template].to_sym)). A counter measure is implemented in rack-protection. I think either Sinatra or sinatra-contrib should depend on it. I would favor sinatra-contrib, but that means we can't release Sinatra 1.3 until we finish sinatra-contrib.

@rkh
Member
rkh commented Jul 25, 2011

@sr, @bmizerany, @rtomayko opinions? also, directory traversal seems to be the most common attack.

@namelessjon

As an aside: If you're calling params[:template].to_sym then you should be aware you'll be leaking memory as symbols are never GCd. One could just try a lot of different templates ...

I'd favour sinatra depending on it, or VERY clear warnings about this in the readme.

@rkh
Member
rkh commented Jul 25, 2011

There is a third option: Basically copying the path traversal code from rack-protection into Sinatra.

@rkh
Member
rkh commented Aug 18, 2011
@rkh
Member
rkh commented Sep 2, 2011

I added this to sinatra-contrib for now, but (esp. after a discussion with Sinatra users at Rocky Mountain Ruby) tend to actually include it into Sinatra proper.

@rkh rkh added a commit that closed this issue Sep 2, 2011
@rkh rkh add rack-protection, fixes #310 1f1e58e
@rkh rkh closed this in 1f1e58e Sep 2, 2011
@jacobo
jacobo commented Sep 22, 2011

People really do erb(params[:template].to_sym) ?

what about people that like to: redirect params[:return_to] ?

@rkh
Member
rkh commented Sep 22, 2011

@jacobo: I will disable escaped_params by default, either in Sinatra or rack-protection. Then both scenarios should work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment