Patrick Joyce

June 5, 2012

Rails 2.3 fix for CVE-2012-2660: Unsafe Query Generation

Last Thursday the Rails security team announced CVE-2012-2660. This bug takes advantage of an issue in Rack that allows for a specially crafted request to set a param to [nil] instead of nil. This could circumvent checks for nil? and lead to unsafe query generation. See the bug report for more details.

Unfortunately for those of us still maintaining production apps on 2.3.X, the Rails team no longer supports the 2.X branches and did not release a patch.

Fortunately, it was pretty trivial to back port the patch from the 3.X branch to 2.3.14. Here is my commit: security/fix-unsafe-query-generation

Updating your application

If you’ve vendored rails

Just apply my patch to the rails source in your vendor directory.

If you are using bundler (HT Tom Ward)

  • Check out my branch. From within a clone of rails:
git remote add patrick
git fetch patrick
git checkout patrick/security/fix-unsafe-query-generation
  • Build the gem files
cd actionmailer
rake gem PKG_BUILD=1
cd ../actionpack
rake gem PKG_BUILD=1
cd ../activerecord
rake gem PKG_BUILD=1
cd ../activeresource
rake gem PKG_BUILD=1
cd ../activesupport
rake gem PKG_BUILD=1
cd ../railties
rake gem PKG_BUILD=1
cd ..
  • Copy the *.gem files into your vendor/cache
cp **/pkg/*.gem <project-folder>/gems/cache
  • Update your gemfile to require rails
  • bundle update rails

If you are using bunder and have your own gem server (running geminabox)

The same as above except replace step 3 with:

  • Push the gem files to your geminabox
gem install geminabox
gem inabox **/pkg/*.gem

More Articles on Software & Product Development

Agile With a Lowercase “a”
”Agile“ is an adjective. It is not a noun. It isn’t something you do, it is something you are.
How Do You End Up With A Great Product A Year From Now?
Nail the next two weeks. 26 times in a row.
Build it Twice
Resist the urge to abstract until you've learned what is general to a class of problems and what is specific to each problem.