Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
Ruby on Rails: Security
Home
About this group
Join this group
Potential XSS Vulnerability in auto_link()
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   1 message - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Aaron Patterson  
View profile  
 More options Apr 5 2011, 6:10 pm
From: Aaron Patterson <aa...@tenderlovemaking.com>
Date: Tue, 5 Apr 2011 15:10:42 -0700
Local: Tues, Apr 5 2011 6:10 pm
Subject: Potential XSS Vulnerability in auto_link()
Print | Individual message | Show original | Report this message | Find messages by this author

There is a weakness in the auto_link helper in rails 3.0.x.  Irrespective of the
parameters provided, auto_link marks its output as safe causing the resulting
string to be output directly to the client.  In certain circumstances an
attacker may be able to use this to exploit an application.

## Impact

Applications which pass untrusted data to auto_link may be vulnerable to XSS
attacks.  For example:

    <%= auto_link(params[:content]) %>

## Releases

The fix for this is to ensure that the return value of auto_link is never marked
as safe, allowing users to call sanitize or raw depending on their
circumstances.  The 3.0.6 release contains this change and is available the
regular locations.

After upgrading users will have to audit their calls to auto_link and either
sanitize the resulting values or call raw where those values have been
previously sanitized.  For example, untrusted data will change from:

    <%= auto_link(@user.bio) %>

To:
    <%= sanitize(auto_link(@user.bio)) %>

Trusted data can be passed directly to the client by calling raw:

    <%= raw(auto_link(ADMIN_CONTENT)) %>

## Patches

People who are unable to upgrade can apply the attached patch directly to their
rails installation.  This patch should apply cleanly to 3.0.x

## Work around

To work around this problem without applying the patch, use the "sanitize"
method around your calls to auto_link():

    <%= sanitize(auto_link(params[:content])) %>

## Credits

Thanks to Torben Schulz for reporting this bug.

--
Aaron Patterson
http://tenderlovemaking.com/

  application_pgp-signature_part
< 1K Download

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google