Created
June 5, 2012 16:57
-
-
Save gaizka/2876231 to your computer and use it in GitHub Desktop.
Patch for Rails null param vulnerability (CVE-2012-2660) ported to Rails 2.3.x versions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Adapted patch for CVE-2012-2660 rails vulnerability to Rails 2 versions | |
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f | |
# | |
# 1- Drop it at your_app/config/initializers/ | |
# 2- Remember to pass your tests/specs | |
# 3- Profit! | |
module ActionController | |
class Request < Rack::Request | |
alias_method :normalize_parameters_with_null_vulnerability, :normalize_parameters | |
# http://my.site/object/4/edit?token[] | |
# would have has params: | |
# {"token"=>[nil] } | |
# This change would turn them into | |
# {"token"=> nil } | |
# Convert nested Hashs to HashWithIndifferentAccess and replace | |
# file upload hashs with UploadedFile objects | |
def normalize_parameters(value) | |
case value | |
when Hash | |
if value.has_key?(:tempfile) | |
upload = value[:tempfile] | |
upload.extend(UploadedFile) | |
upload.original_path = value[:filename] | |
upload.content_type = value[:type] | |
upload | |
else | |
h = {} | |
value.each { |k, v| h[k] = normalize_parameters(v) } | |
# Original, vulnerable behaviour | |
# h.with_indifferent_access | |
# Safe behaviour | |
deep_munge(h).with_indifferent_access | |
end | |
when Array | |
value.map { |e| normalize_parameters(e) } | |
else | |
value | |
end | |
end | |
# Taken from 3-0-null_param.patch | |
# Remove nils from the params hash | |
def deep_munge(hash) | |
hash.each_value do |v| | |
case v | |
when Array | |
v.grep(Hash) { |x| deep_munge(x) } | |
when Hash | |
deep_munge(v) | |
end | |
end | |
keys = hash.keys.find_all { |k| hash[k] == [nil] } | |
keys.each { |k| hash[k] = nil } | |
hash | |
end | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment