Rails 5.0.0.1, 4.2.7.1, and 3.2.22.3 have been released! Hi everyone! Rails 5.0.0.1, 4.2.7.1, and 3.2.22.3 have been released! These release contain important security fixes, so please upgrade when you can. Versions 5.0.0.1, 4.2.7.1, and 3.2.22.3 contain a fix for CVE-2016-6316 which you can read about here. Version 4.2.7.1 also contains CVE-2016-6317 which you can read about here. To ease upgradi
Hello everyone!!! It’s that time again. I would like to announce that Rails 3.2.21, 4.0.12, and 4.1.8 have been released. These releases contain a security fix where the existence of arbitrary files on the file system can be leaked, but the contents of the file will not be leaked. The issue generally only impacts people who are using Rails to serve static assets, and will generally not impact peop
またもやreleaseされていました。 3.2.12/11は1個、2.3.17には2個の脆弱性対策がされているのと JSON gemも脆弱性対策がされています。 Riding Rails: Rails 3.2.12, 3.1.11, and 2.3.17 have been released! CVE-2013-0276 attr_protected が回避される脆弱性。 attr_accessible 派は影響無し。 Fixed Versions:3.2.12, 3.1.11, 2.3.17 パッチを見てみると 正規表現の修正がされています。 複数行で値が渡されるとまずかったのかな。 - @regex = /^(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})$/ + @regex = /\A(#{Regexp.esca
At 8:49am Pacific Time this morning a GitHub user exploited a security vulnerability in the public key update form in order to add his public key to the rails organization. He was then able to push a new file to the project as a demonstration of this vulnerability. As soon as we detected the attack we expunged the unauthorized key and suspended the user. Public Key Security Vulnerability and Mitig
So I commited in rails/rails repo I simply added a <input value=USER_ID name=public_key[user_id]> field to Public key update form, where USER_ID = 4223 (from https://api.github.com/users/rails). Backend didn't whitelist accessible attributes and had something like this: @key = PublicKey.find(params[:id]) @key.update_attributes(params[:public_key]) #Oh no! We passed public_key[user_id] of our victi
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
処理を実行中です
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く