La version 1.1.6 de Ruby on Rails est parue pour corriger une grosse faille de sécurité apparue sur les versions 1.1.x à cause d’une erreur dans le code de routage. Annonce de DHH sur la mailing list ROR
The cat is out of the bag, so here’s the full disclosure edition of the current security vulnerability. With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails. This means that you can essentially take down a Rails process by starting something like /script/profiler, as the code will run for a long time and that process will be hung while it happens. Other URLs can even cause data loss.
- Patch for Rails 1.1.0:
- Patch for Rails 1.1.1:
- Patch for Rails 1.1.2:
- Patch for Rails 1.1.4:
- Patch for Rails 1.1.5: Upgrade to Rails 1.1.6.
comments : 0 Add comment
