Rails 2.3 fix for CVE-2012-2660: Unsafe Query Generation

Last Thursday the Rails security team announced CVE-2012-2660. This bug takes advantage of an issue in Rack that allows for a specially crafted request to set a param to [nil] instead of nil. This could circumvent checks for nil? and lead to unsafe query generation. See the bug report for more details.

Unfortunately for those of us still maintaining production apps on 2.3.X, the Rails team no longer supports the 2.X branches and did not release a patch.

Fortunately, it was pretty trivial to back port the patch from the 3.X branch to 2.3.14. Here is my commit: security/fix-unsafe-query-generation

Updating your application

If you’ve vendored rails

Just apply my patch to the rails source in your vendor directory.

If you are using bundler (HT Tom Ward)

• Check out my branch. From within a clone of rails:

git remote add patrick https://github.com/KeeperPat/rails.git
git fetch patrick
git checkout patrick/security/fix-unsafe-query-generation

• Build the gem files

cd actionmailer
rake gem PKG_BUILD=1
cd ../actionpack
rake gem PKG_BUILD=1
cd ../activerecord
rake gem PKG_BUILD=1
cd ../activeresource
rake gem PKG_BUILD=1
cd ../activesupport
rake gem PKG_BUILD=1
cd ../railties
rake gem PKG_BUILD=1
cd ..

• Copy the *.gem files into your vendor/cache

cp **/pkg/*.gem <project-folder>/gems/cache

• Update your gemfile to require rails 2.3.14.1
• bundle update rails

If you are using bunder and have your own gem server (running geminabox)

The same as above except replace step 3 with:

• Push the gem files to your geminabox

gem install geminabox
gem inabox **/pkg/*.gem