Alerte de sécurité venant de la Rails Core Team :
L’annonce :
Response Splitting Risk
Posted by michael October 19, 2008 @ 02:03 PM
The Ruby HTTP libraries used by Rails do not perform any sanitization
of the values of their HTTP Headers. This can lead to Response
Splitting and Header Injection attacks in certain circumstances where
user-provided values are written into response headers. These malformed
values can be used to set custom cookies, and forge fake responses
to users if your application uses any of the user submitted parameters
to construct HTTP headers without sanitizing.
A common scenario where this can be exploited is where your
application takes a URL from the query string, and redirects the
user to it. To mitigate this common scenario new versions of
Rails will be released which sanitize the values passed to
redirect_to. However you will still need to take care when writing
other values to response headers.
The new versions which will contain the fixes are:
2.0.5
2.1.2
2.2.0
These releases are not available immediately, so in the event
that it’s infeasible or inconvenient for your application to sanitize
the user-supplied values it passes to redirect_to, patches are
available at the following locations.
2.0.x Series
http://weblog.rubyonrails.org/assets/2008/10/19/2.0.x.redirect_to_sanitisation.diff
2.1.x Series
http://weblog.rubyonrails.org/assets/2008/10/19/2.1.x.redirect_to_sanitisation.diff
Users of Edge Rails prior to ba80ff74a962 should update to the
latest revisions, cherry pick the change at ba80ff74a962 or or
apply this patch
http://weblog.rubyonrails.org/assets/2008/10/19/edge.redirect_to_sanitisation.diff
Thanks to Luka Treiber and Mitja Kolsek of ACROS Security
for notifying us of this issue and the Ruby Security team for
their advice.
–
Les 50 ans du Lisp : http://www.lisp50.org
http://twitter.com/underflow_