XSS vulnerability in the translate helper method in Ruby on Rails

762 views
Skip to first unread message

Michael Koziarski

unread,
Nov 17, 2011, 8:41:45 PM11/17/11
to rubyonrail...@googlegroups.com
There is a vulnerability in the translate helper method which may allow
an attacker to insert arbitrary code into a page. This vulnerability
has been disclosed to the public so no a CVE identifier has yet to be
assigned.

Versions Affected: 3.0.0 and later, 2.3.X in combination with the
rails_xss plugin
Not Affected: Pre-3.0.0 releases, without the rails_xss plugin,
did no automatic XSS escaping, so are not considered vulnerable
Fixed Versions: 3.0.11, 3.1.2

Impact
------

Ruby on Rails has a helper method for i18n translations. This function
has a convention whereby translations strings with a name ending in
'html' are considered HTML safe. There is also a mechanism for
interpolation. It has been discovered that these 'html' strings allow
arbitrary values to be contained in the interpolated input, and these
values are not escaped.

All users using the translate helper method with 'html safe'
translations which use variable interpolation should either upgrade or
use one of the workarounds immediately.

Workarounds
-----------

Escape all interpolated input manually. For example:

translate('some_html', :some => '<input>')

should be changed to:

translate('some_html', :some => h('<input>'))

Patches
-------

To aid users who aren't able to upgrade immediately we have provided
patches for the two supported release series. They are in git-am format
and consist of a single changeset.

* 3-0-translate.patch - Patch for 3.0 series
* 3-1-translate.patch - Patch for 3.1 series

Credits
-------

Thanks to Sergey Nartimov for finding the vulnerability and submitting
the initial patch.
--
Cheers,

Koz

3-0-translate.patch
3-1-translate.patch
signature.asc
Reply all
Reply to author
Forward
0 new messages