09 August 2006 ~ 2 Comments

Major security flaw found in Rails

Ruby

Quoth the Ruby on Rails blog:

This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn’t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.

The issue is in fact of such a criticality that we’re not going to dig into the specifics. No need to arm would-be assalients.

Nate took a look at the code and ran a quick diff on it, but he says he looks like they may have renamed a few files. Interesting.

According to the devs, the problem affects 0.13, 0.14, 1.0, and 1.1.x.

So, what exactly is the problem? Is it an SQL injection hole, or are the RoR developers are just adding red herrings?

Either way, this isn’t looking good for the RoR team. Not because there is a security flaw, but rather because of how it’s being handled. I’m not the only one expecting some backlash over this.

Oh well, as David Heinemeier Hansson himself has said:

There’s no need to fear. Security is not likely to ever be a bullet point on the feature list of a framework. All Rails does is provide you with a number of features to _help_ deal with security, like SQL injection…

Heh.

Update: Kristian Köhntopp looked into the Mandatory Mystery Patch and appears to have found a flaw by running a diff on 1.1.4 vs. 1.1.5.

2 Responses to “Major security flaw found in Rails”

  1. Lon 9 August 2006 at 10:16 pm Permalink

    Real smart. Tell a bunch of CODERS that something is severely wrong but don’t ask questions, just do what we say. Right.

  2. michele 10 August 2006 at 5:52 am Permalink

    IMHO this problem is not present inside 1.1.4, that’s why diffing between it and 1.1.5 gives nothing particularly relevant if not for a red herring test, they just moved things around to give the feeling that something has changed.

    This is getting pretty ridiculous IMHO, security by obfuscation for an open source project? anyway RoR is somewhat particular as an open source project, it seems more as a way to make money by selling books, support and conference materials to me.

    Anyway my feelings are enforced by this last blog post:

    http://weblog.rubyonrails.com/

    “Rails 1.0 and prior is not affected by the latest security breach we’ve experienced. Neither is Rails 1.1.3. We’re currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4″

    So, from 1.1.0 to 1.1.2 there is the problem, not in 1.1.3 but again inside 1.1.4?

    I think that If you want to discover the real problem you should diff 1.1.2 and 1.1.3 probably… let’see how it turns out.


Leave a Reply