Hi,

I think there is still a major vulnerability exists in the latest Rails
1.1.5.

The problem is in the routing.rb file and safe_load_paths method.
Because of the erroneous regexp it is possible to perform a DOS attack
on any rails application.

To reproduce:

1. start your application
2. use this url: http://localhost:3000/debug

Routing module will load standard debug.rb script which stops a
dispatcher process waiting for a terminal input. Actually this way it
is possible to load any script from the ruby standard library.

Patch:

Index: actionpack/lib/action_controller/routing.rb

— actionpack/lib/action_controller/routing.rb (revision 4745)
+++ actionpack/lib/action_controller/routing.rb (working copy)
@@ -270,10 +270,11 @@
protected
def safe_load_paths #:nodoc:
if defined?(RAILS_ROOT)

•        extended_root = Regexp.escape(File.expand_path(RAILS_ROOT))
        $LOAD_PATH.select do |base|
          base = File.expand_path(base)
          extended_root = File.expand_path(RAILS_ROOT)
  

base.match(/\A#{Regexp.escape(extended_root)}/*#{file_kinds(:lib)

• ‘|’}/) || base =~ %r{rails-[\d.]+/builtin}

•          base.match(/\A#{extended_root}\/*(#{file_kinds(:lib) *
  

‘|’})/) || base =~ %r{rails-[\d.]+/builtin}
end
else
$LOAD_PATH

–
Kent

Running 1.1.4 - getting -> Recognition failed for “/debug”.

Running webrick.

I send this email yesterday morning. For whatever reason it was delayed
for
more than 24 hours. There must be something wrong with the mail server.
Anyway this problem is fixed with the latest 1.1.6

FYI: There is a Rails 1.1.6 that fixes this…

Kent,
We’re working on it. 1.1.6 should fix it I believe. Someone on the
core chime in?
Kev

Kent,
We’re working on it. 1.1.6 should fix it I believe. Someone on the
core chime in?

Yes, 1.1.6 is not vulnerable as far as we can tell. In future, this
list is not the place to report vulnerabilities. Perhaps we should
have a [email protected] which contacts a few of us on the core
team.

–
Cheers

Koz