Skip to content

Instantly share code, notes, and snippets.

@gaizka
Created June 5, 2012 16:57
Show Gist options
  • Save gaizka/2876231 to your computer and use it in GitHub Desktop.
Save gaizka/2876231 to your computer and use it in GitHub Desktop.
Patch for Rails null param vulnerability (CVE-2012-2660) ported to Rails 2.3.x versions
# Adapted patch for CVE-2012-2660 rails vulnerability to Rails 2 versions
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
#
# 1- Drop it at your_app/config/initializers/
# 2- Remember to pass your tests/specs
# 3- Profit!
module ActionController
class Request < Rack::Request
alias_method :normalize_parameters_with_null_vulnerability, :normalize_parameters
# http://my.site/object/4/edit?token[]
# would have has params:
# {"token"=>[nil] }
# This change would turn them into
# {"token"=> nil }
# Convert nested Hashs to HashWithIndifferentAccess and replace
# file upload hashs with UploadedFile objects
def normalize_parameters(value)
case value
when Hash
if value.has_key?(:tempfile)
upload = value[:tempfile]
upload.extend(UploadedFile)
upload.original_path = value[:filename]
upload.content_type = value[:type]
upload
else
h = {}
value.each { |k, v| h[k] = normalize_parameters(v) }
# Original, vulnerable behaviour
# h.with_indifferent_access
# Safe behaviour
deep_munge(h).with_indifferent_access
end
when Array
value.map { |e| normalize_parameters(e) }
else
value
end
end
# Taken from 3-0-null_param.patch
# Remove nils from the params hash
def deep_munge(hash)
hash.each_value do |v|
case v
when Array
v.grep(Hash) { |x| deep_munge(x) }
when Hash
deep_munge(v)
end
end
keys = hash.keys.find_all { |k| hash[k] == [nil] }
keys.each { |k| hash[k] = nil }
hash
end
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment