Hi,
On Tue, Apr 26, 2016 at 10:08 AM, Raphael Geissert <atom...@gmail.com> wrote:
> Hi,
>
> On 19 February 2016 at 09:35, Linus van Geuns <li...@vangeuns.name> wrote:
>> On Thu, Feb 18, 2016 at 8:35 PM, Thorsten Alteholz <deb...@alteholz.de>
>> wrote:
>>> On irc you wrote:
>>> 15:05 < Nirkus> have some old redmine running on squeeze-lts (yeah..) and
>>> since the update yesterday the following redmine code bails out with
>>> "private method `split' called for nil:NilClass" at the following line:
>>> 15:06 < Nirkus> @env['QUERY_STRING'].present? ? @env['QUERY_STRING'] :
>>> (@env['REQUEST_URI'].split('?', 2)[1] || '')
>>>
>>> In CVE-2015-7519[1] it was detected, that it is possible to obtain
>>> unauthorized access if you send http variables with "_" instead of "-".
>>> More information can be found here[2]. As a solution it was proposed to
>>> simply filter out all variables containing an "_". This was already done in
>>> mod_cgi of apache[3] and now I applied a similar patch to
>>> libapache2-mod-passenger as well.
>>>
>>> Unfortunately there seems to be software that relies on underscores in
>>> variable names. So if you need such variables you might want to use the
>>> workaround for apache, described in[2].
>>
>> I am only scratching the surface of Ruby, Passenger, Rack/Rails and
>> Redminde, so corrections and clarifications welcome. :)
>>
> [...]
>>
>> I am not sure whether REQUEST_URI and QUERY_STRING are actually passed
>> as per-request env. variables by Passenger or added to the env hash by
>> Rack/Rails.
>> Still, this looks like a regression to me, since it removes previously
>> available variables, which should not be in scope of CVE-2015-7519.
>
> It is a regression, there's no way for applications using
> mod_passenger to work after the latest update. Not only did the update
> switch to a native package and drop some documentation, but it broke
> the module.
>
> Granted, the package is safer now that it doesn't work.
Yeah, granted
"We" are no longer affected by this regression since the affected
Redmine instance has been migrated to a current release running on
Debian jessie.
So, thank you for the incentive to do the right thing.
Gruß, Linus
