Rails 2.3 fix for CVE-2012-2660: Unsafe Query Generation
Last Thursday the Rails security team announced CVE-2012-2660. This bug takes advantage of an issue in Rack that allows for a specially crafted request to set a param to
[nil] instead of
nil. This could circumvent checks for
nil? and lead to unsafe query generation. See the bug report for more details.
Unfortunately for those of us still maintaining production apps on 2.3.X, the Rails team no longer supports the 2.X branches and did not release a patch.
Fortunately, it was pretty trivial to back port the patch from the 3.X branch to 2.3.14. Here is my commit: security/fix-unsafe-query-generation
Updating your application
If you’ve vendored rails
Just apply my patch to the rails source in your vendor directory.
If you are using bundler (HT Tom Ward)
- Check out my branch. From within a clone of rails:
git remote add patrick https://github.com/KeeperPat/rails.git git fetch patrick git checkout patrick/security/fix-unsafe-query-generation
- Build the gem files
cd actionmailer rake gem PKG_BUILD=1 cd ../actionpack rake gem PKG_BUILD=1 cd ../activerecord rake gem PKG_BUILD=1 cd ../activeresource rake gem PKG_BUILD=1 cd ../activesupport rake gem PKG_BUILD=1 cd ../railties rake gem PKG_BUILD=1 cd ..
- Copy the *.gem files into your vendor/cache
cp **/pkg/*.gem <project-folder>/gems/cache
- Update your gemfile to require rails 220.127.116.11
bundle update rails
If you are using bunder and have your own gem server (running geminabox)
The same as above except replace step 3 with:
- Push the gem files to your geminabox
gem install geminabox gem inabox **/pkg/*.gem
More Articles on Software & Product Development
- Agile With a Lowercase “a”
- ”Agile“ is an adjective. It is not a noun. It isn’t something you do, it is something you are.
- How Do You End Up With A Great Product A Year From Now?
- Nail the next two weeks. 26 times in a row.
- Build it Twice
- Resist the urge to abstract until you've learned what is general to a class of problems and what is specific to each problem.