Filter Problems on Case-Insensitive Filesystems

[Michael Koziarski]

There is a weakness in the filtering code in Rails 3.0.x. Rails 3.0.x
uses the filesystem to list the templates available to an application,
by varying the case of an action name an attacker may be able to
circumvent some filters if the application is deployed on a
case-insensitive filesystem. This vulnerability has been assigned the
CVE identifier CVE-2011-0449.

Versions Affected: 3.0.0-3.0.3
Not affected: 2.3.x versions and all earlier versions.
Applications deployed on case-sensitive filesystems
Fixed Versions: 3.0.4

Impact
------
Users running an affected release and deploying to a server with a
case-insensitive file system should upgrade immediately.

Releases
--------
The 3.0.4 release is available at the normal location.

Workarounds
-----------
The only feasible workaround for this issue is to ensure that your
application is deployed on a case-sensitive filesystem. It is probably
much easier to upgrade your application than to change your filesystem.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided a
patch for the 3.0.x release series. It is in git-am format and consists
of a single changeset.

* 3-0-case-insensitive.patch - Patch for 3.0 series

Please note that only the 2.3.x and 3.0.x series are supported at
present. Users of earlier unsupported releases are advised to upgrade
as soon as possible.

Credits
-------

Thanks to Jan M. Faber of supersaas for reporting the problem to us and
working with us to verify the fix.
--
Cheers,

Koz