Versions affected by CVE-2015-3226

[Nemanja Čorlija]

Rails 3.2.22 did not receive a fix for CVE-2015-3226 but is listed as affected by it.

However I ran the test that ships in the patches for 4.1 and 4.2 with Rails 3.2.22 and it almost passes. Only difference is the case of hex characters in escaped string.

So this test passes on 3.2.22 without any modifications.

  def test_hash_keys_encoding
    ActiveSupport.escape_html_entities_in_json = true
    assert_equal "{\"\\u003c\\u003e\":\"\\u003c\\u003e\"}", ActiveSupport::JSON.encode("<>" => "<>").downcase
  ensure
    ActiveSupport.escape_html_entities_in_json = false
  end

Can someone please confirm if Rails 3.2.22 really is vulnerable in this case or not?

Thanks!

[Godfrey Chan]

You are correct! Rails < 4.1 is not affected. Sorry for the confusion!

Godfrey (Rails core team)

—
Sent from Mailbox

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.