La version 1.1.6 de Ruby on Rails est parue pour corriger une grosse faille de sécurité apparue sur les versions 1.1.x à cause d’une erreur dans le code de routage. Annonce de DHH sur la mailing list ROR
> The cat is out of the bag, so here’s the full disclosure edition of
the current security vulnerability. With Rails 1.1.0 through 1.1.5
(minus the short-lived 1.1.3), you can trigger the evaluation of Ruby
code through the URL because of a bug in the routing code of Rails.
This means that you can essentially take down a Rails process by
starting something like /script/profiler, as the code will run for a
long time and that process will be hung while it happens. Other URLs
can even cause data loss.
- Patch for Rails 1.1.0:
[http://www.rubyonrails.org/files/aug_10_security/rel_1-1-0.diff](http://www.rubyonrails.org/files/aug_10_security/rel_1-1-0.diff) - Patch for Rails 1.1.1:
[http://www.rubyonrails.org/files/aug_10_security/rel_1-1-1.diff](http://www.rubyonrails.org/files/aug_10_security/rel_1-1-1.diff) - Patch for Rails 1.1.2:
[http://www.rubyonrails.org/files/aug_10_security/rel_1-1-2.diff](http://www.rubyonrails.org/files/aug_10_security/rel_1-1-2.diff) - Patch for Rails 1.1.4:
[http://www.rubyonrails.org/files/aug_10_security/rel_1-1-4.diff](http://www.rubyonrails.org/files/aug_10_security/rel_1-1-4.diff) - Patch for Rails 1.1.5: Upgrade to Rails 1.1.6.
comments : 0 Add comment
