[SECURITY] Hotfix for cgi.rb vulnerability of Dec. 4, 2006


I’ve released a hotfix, just like the last one from Zed S., for the
new cgi.rb denial-of-service vulnerability, which does affect Rails. You
can get it here:


It will be useful to you if you are unable or unwilling to upgrade your
core Ruby cgi.rb file. We have deployed it on Chow.com and are making it
available to everyone.


=== README ===


Fix an exploitable bug in CGI multipart parsing which affects Ruby <=
1.8.5 when multipart boundary attribute contains a non-halting regular
expression string. The boundary searcher in the CGI module does not
properly escape the user-supplied parameter and will execute arbitrary
regular expressions. The fix adds escaping for the user data.

This is fix is cumulative with previous CGI multipart vulnerability
fixes; see version 1.0.0 of the gem by Zed S…


Affected: standalone CGI, Mongrel, WEBrick
Unaffected: FastCGI
Unknown: mod_ruby


First, make sure you have the Hoe gem installed. Then:

sudo gem install cgi_multipart_eof_fix --source blog.evanweaver.com

Then included test to verify the flaw is corrected. You must require the
gem in every affected application, as follows:

require ‘rubygems’
require ‘cgi_multipart_eof_fix’

If you only use mongrel_rails for application hosting, you may install
mongrel like so:

sudo gem install mongrel

Then mongrel will require the fix for you, provided you have installed
version 2.0.0 of this gem. This is a hack, and mongrel may change in the




Licensed under the same license as Ruby itself. Software contains the
work of others.

On 12/5/06, Evan W. [email protected] wrote:

available to everyone.
Thanks for updating the gem, Evan!

A historical note: Jamis B. is the author; he found, fixed, and tested
original vulnerability.


You’re welcome. Thanks for the clarification; I see now in Zed’s
original post that he credited you and Jamis.