Potential SQL Injection in Rails 3.0.x

429 views
Skip to first unread message

Michael Koziarski

unread,
Feb 8, 2011, 3:53:40 PM2/8/11
to rubyonrail...@googlegroups.com
There is a vulnerability in the limit() function in Rails 3.0.x. This
vulnerability has been assigned the CVE identifier CVE-2011-0448.

Versions Affected: 3.0.0-3.0.3
Not affected: Releases before 3.0.0
Fixed Versions: 3.0.4

Impact
------
All users running an affected release should either upgrade or use one
of the work arounds immediately.

Releases
--------
The 3.0.4 release is available at the normal location.

Workarounds
-----------

Users should convert any values provided to the limit() function into
integers explicitly. For example code which is currently:

@posts = Post.limit(params[:per_page]).all

Should become:

@posts = Post.limit(params[:per_page].to_i).all

Patches
-------
Given the simplicity of the of workarounds and the low risk of the
upgrade, we will not be backporting this change to earlier releases.

Please note that only the 2.3.x and 3.0.x series are supported at
present. Users of earlier unsupported releases are advised to upgrade
as soon as possible.

Credits
-------

Thanks to Eaden McKee from Webforce Ltd for reporting the bug to us.

--
Cheers,

Koz

3-0-limit.patch
signature.asc
Reply all
Reply to author
Forward
0 new messages