Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Applying the CVE-2013-0156 security fix to Rails 3.2.10 by hand, create this initializer.
# There are multiple weaknesses in the parameter parsing code for Ruby on Rails
# which allows attackers to bypass authentication systems, inject arbitrary SQL,
# inject and execute arbitrary code, or perform a DoS attack on a Rails application.
# This vulnerability has been assigned the CVE identifier CVE-2013-0156.
#
# https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ
ActiveSupport::XmlMini::PARSING.delete("symbol")
ActiveSupport::XmlMini::PARSING.delete("yaml")
# Limit the risk of entity explosion attacks
# I imagine 1.9.3-p327 has been patched by now, but the limit is still 10,000 by default.
# http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
REXML::Document.entity_expansion_limit = 1000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.