Hi, On 19 February 2016 at 09:35, Linus van Geuns <li...@vangeuns.name> wrote: > On Thu, Feb 18, 2016 at 8:35 PM, Thorsten Alteholz <deb...@alteholz.de> wrote: >> On irc you wrote: >> 15:05 < Nirkus> have some old redmine running on squeeze-lts (yeah..) and >> since the update yesterday the following redmine code bails out with >> "private method `split' called for nil:NilClass" at the following line: >> 15:06 < Nirkus> @env['QUERY_STRING'].present? ? @env['QUERY_STRING'] : >> (@env['REQUEST_URI'].split('?', 2)[1] || '') >> >> In CVE-2015-7519[1] it was detected, that it is possible to obtain >> unauthorized access if you send http variables with "_" instead of "-". More >> information can be found here[2]. As a solution it was proposed to simply >> filter out all variables containing an "_". This was already done in mod_cgi >> of apache[3] and now I applied a similar patch to libapache2-mod-passenger >> as well. >> >> Unfortunately there seems to be software that relies on underscores in >> variable names. So if you need such variables you might want to use the >> workaround for apache, described in[2]. > > I am only scratching the surface of Ruby, Passenger, Rack/Rails and > Redminde, so corrections and clarifications welcome. :) > [...] > > I am not sure whether REQUEST_URI and QUERY_STRING are actually passed > as per-request env. variables by Passenger or added to the env hash by > Rack/Rails. > Still, this looks like a regression to me, since it removes previously > available variables, which should not be in scope of CVE-2015-7519.
It is a regression, there's no way for applications using mod_passenger to work after the latest update. Not only did the update switch to a native package and drop some documentation, but it broke the module. Granted, the package is safer now that it doesn't work. Regards, -- Raphael Geissert