Created
January 15, 2013 05:26
-
-
Save nathany/4536371 to your computer and use it in GitHub Desktop.
Applying the CVE-2013-0156 security fix to Rails 3.2.10 by hand, create this initializer.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# There are multiple weaknesses in the parameter parsing code for Ruby on Rails | |
# which allows attackers to bypass authentication systems, inject arbitrary SQL, | |
# inject and execute arbitrary code, or perform a DoS attack on a Rails application. | |
# This vulnerability has been assigned the CVE identifier CVE-2013-0156. | |
# | |
# https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ | |
ActiveSupport::XmlMini::PARSING.delete("symbol") | |
ActiveSupport::XmlMini::PARSING.delete("yaml") | |
# Limit the risk of entity explosion attacks | |
# I imagine 1.9.3-p327 has been patched by now, but the limit is still 10,000 by default. | |
# http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ | |
REXML::Document.entity_expansion_limit = 1000 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment