Response Splitting Risk

[Michael Koziarski]

The Ruby HTTP libraries used by Rails do not perform any santization
of the values of their HTTP Headers. This can lead to Response
Splitting and Header Injection attacks in certain circumstances where
user-provided values are written into response headers. These
malformed values can be used to set custom cookies, and forge fake
responses to users if your application uses any of the user submitted
parameters to construct HTTP headers without sanitizing.

A common scenario where this can be exploited is where your
application takes a URL from the query string, and redirects the user
to it. To mitigate this common scenario new versions of Rails will be
released which sanitize the values passed to redirect_to. However
you will still need to take care when writing other values to response
headers.

The new versions which will contain the fixes are:

* 2.0.5
* 2.1.2
* 2.2.0

These releases are not available immediately, so in the event that
it's infeasible or inconvenient for your application to sanitize the
values it passes to redirect_to, patches are available at the
following urls.

2.0.x Series:

* http://weblog.rubyonrails.org/assets/2008/10/19/2.0.x.redirect_to_sanitisation.diff

2.1.x Series:

* http://weblog.rubyonrails.org/assets/2008/10/19/2.1.x.redirect_to_sanitisation.diff

Users of Edge Rails prior to ba80ff74a962 should update to the latest
revisions, cherry pick the change at ba80ff74a962 or or apply the
following patch:

* http://weblog.rubyonrails.org/assets/2008/10/19/edge.redirect_to_sanitisation.diff

Thanks to Luka Treiber and Mitja Kolsek of ACROS Security for
notifying us of this issue and the Ruby Security team for their
advice.

--
Cheers

Koz