New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enhanced path validation in Windows #1379

Merged
merged 2 commits into from Feb 11, 2018

Conversation

@orangetw
Contributor

orangetw commented Jan 9, 2018

Due to the Windows environment, more check backslashes in static! method and enhanced the path_traversal validation in rack-protection

Show outdated Hide outdated lib/sinatra/base.rb Outdated
@zzak

This comment has been minimized.

Show comment
Hide comment
@zzak

zzak Jan 14, 2018

Member

cc #1339

Member

zzak commented Jan 14, 2018

cc #1339

@namusyaka namusyaka added this to the v2.0.1 milestone Feb 6, 2018

@namusyaka namusyaka self-assigned this Feb 9, 2018

@namusyaka

This comment has been minimized.

Show comment
Hide comment
@namusyaka

namusyaka Feb 10, 2018

Member

Btw, thank you for sending the patch and your report!

Member

namusyaka commented Feb 10, 2018

Btw, thank you for sending the patch and your report!

Removed the double check line!
Removed the double check line!
@namusyaka

Looks good to me. Please wait for confirming this change on my windows machine.

@namusyaka

This comment has been minimized.

Show comment
Hide comment
@namusyaka

namusyaka Feb 11, 2018

Member

I've confirmed the issue, and it has been fixed correctly by this patch.
@orangetw Thank you so much!

Member

namusyaka commented Feb 11, 2018

I've confirmed the issue, and it has been fixed correctly by this patch.
@orangetw Thank you so much!

@namusyaka namusyaka merged commit 6bcc6c3 into sinatra:master Feb 11, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

namusyaka added a commit to sinatra/rack-protection that referenced this pull request Feb 19, 2018

enhanced path validation in Windows
This commit has been backported from sinatra/sinatra#1379

Fixes CVE-2018-7212
@peterkeen

This comment has been minimized.

Show comment
Hide comment
@peterkeen

peterkeen Feb 27, 2018

Hi folks, does this affect versions < 2.0?

peterkeen commented Feb 27, 2018

Hi folks, does this affect versions < 2.0?

@andrew-stripe

This comment has been minimized.

Show comment
Hide comment
@andrew-stripe

andrew-stripe Feb 27, 2018

@peterkeen: I was just looking into the same thing myself. I believe it effects all versions of rack-protection before 2.0.1. I think it would be possible to backport the fix here and cut a 1.5.4 release from the separate rack-protection repo:
https://github.com/sinatra/rack-protection/blob/v1.5.3/lib/rack/protection/path_traversal.rb

andrew-stripe commented Feb 27, 2018

@peterkeen: I was just looking into the same thing myself. I believe it effects all versions of rack-protection before 2.0.1. I think it would be possible to backport the fix here and cut a 1.5.4 release from the separate rack-protection repo:
https://github.com/sinatra/rack-protection/blob/v1.5.3/lib/rack/protection/path_traversal.rb

@andrew-stripe

This comment has been minimized.

Show comment
Hide comment
@andrew-stripe

andrew-stripe Feb 27, 2018

Ah, actually this was already backported:
https://github.com/sinatra/rack-protection/commits/stable-1.5

So this really is fixed on rack-protection ~>1.5.4 / >2.0.0 I think

andrew-stripe commented Feb 27, 2018

Ah, actually this was already backported:
https://github.com/sinatra/rack-protection/commits/stable-1.5

So this really is fixed on rack-protection ~>1.5.4 / >2.0.0 I think

@ghiculescu

This comment has been minimized.

Show comment
Hide comment
@ghiculescu

ghiculescu Feb 27, 2018

If bundle-audit told you to come here and you don't want to update to Sinatra 2.x right now, subscribe to rubysec/ruby-advisory-db#331

ghiculescu commented Feb 27, 2018

If bundle-audit told you to come here and you don't want to update to Sinatra 2.x right now, subscribe to rubysec/ruby-advisory-db#331

@namusyaka

This comment has been minimized.

Show comment
Hide comment
@namusyaka

namusyaka Feb 28, 2018

Member

Yeah, rack-protection v1.5.x has not been maintained, I had backported security fix exceptionally into the 1.5-stable branch.

Member

namusyaka commented Feb 28, 2018

Yeah, rack-protection v1.5.x has not been maintained, I had backported security fix exceptionally into the 1.5-stable branch.

bess added a commit to curationexperts/epigaea that referenced this pull request Mar 5, 2018

Security updates
nokogiri 1.8.2 fixes security issue https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412
rack-protection 2.0.1 fixes security issue sinatra/sinatra#1379

@bess bess referenced this pull request Mar 5, 2018

Merged

Security updates #906

tmtmtmtm added a commit to everypolitician/legislative-explorer that referenced this pull request Mar 6, 2018

bundle update sinatra
update Sinatra due to security advisory:

  Name: rack-protection
  Version: 1.5.3
  Advisory: CVE-2018-7212
  Criticality: Unknown
  URL: sinatra/sinatra#1379
  Title: Path traversal is possible via backslash characters on Windows.
  Solution: upgrade to >= 2.0.1, ~> 1.5.4

mkorcy added a commit to TuftsUniversity/epigaea that referenced this pull request Mar 6, 2018

Security updates
nokogiri 1.8.2 fixes security issue https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412
rack-protection 2.0.1 fixes security issue sinatra/sinatra#1379

robbkidd added a commit to chef/supermarket that referenced this pull request Mar 13, 2018

update rack-protection
Addresses CVE-2018-7212 reported in rack-protection.[1] CVE does not
affect Supermarket because the vulnerability is only on Windows
platforms.

[1] sinatra/sinatra#1379

Signed-off-by: Robb Kidd <rkidd@chef.io>

kynetiv added a commit to RTICWDT/open-data-maker that referenced this pull request Mar 26, 2018

Update dependencies (#46)
* update padrino dependencies (see rack-protection vuln)[sinatra/sinatra#1379]

* update actionview dependencies (action-html-sanitizer and loofah)

rimenes added a commit to rimenes/reviewit that referenced this pull request May 4, 2018

Update rack-protection gem for security fix.
Name: rack-protection
Version: 2.0.0
Advisory: CVE-2018-7212
Criticality: Unknown
URL: sinatra/sinatra#1379
Title: Path traversal is possible via backslash characters on Windows.

hugopl added a commit to hugopl/reviewit that referenced this pull request May 4, 2018

Update rack-protection gem for security fix.
Name: rack-protection
Version: 2.0.0
Advisory: CVE-2018-7212
Criticality: Unknown
URL: sinatra/sinatra#1379
Title: Path traversal is possible via backslash characters on Windows.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment