Hi Thorsten, On Thu, Feb 18, 2016 at 8:35 PM, Thorsten Alteholz <deb...@alteholz.de> wrote: > > [..] > On irc you wrote: > 15:05 < Nirkus> have some old redmine running on squeeze-lts (yeah..) and > since the update yesterday the following redmine code bails out with "private > method `split' called for nil:NilClass" at the following line: > 15:06 < Nirkus> @env['QUERY_STRING'].present? ? @env['QUERY_STRING'] : > (@env['REQUEST_URI'].split('?', 2)[1] || '') > [..] > > In CVE-2015-7519[1] it was detected, that it is possible to obtain > unauthorized access if you send http variables with "_" instead of "-". More > information can be found here[2]. As a solution it was proposed to simply > filter out all variables containing an "_". This was already done in mod_cgi > of apache[3] and now I applied a similar patch to libapache2-mod-passenger as > well. > > Unfortunately there seems to be software that relies on underscores in > variable names. So if you need such variables you might want to use the > workaround for apache, described in[2].
I am only scratching the surface of Ruby, Passenger, Rack/Rails and Redminde, so corrections and clarifications welcome. :) This is my interprtation of the blog entry[1] for CVE-2015-7519: - In order to make HTTP headers of a request available as per-request environment variables, Passenger * prefixes the header names with "HTTP_" * converts those names to upper case * converts all non-alphanumeric characters in header names to underscore ("_") - This behavior allows attackers to pass in per-request env. variables that look like trusted, internal headers to applications (header names "X-User" and "X~User" both get converted to variable name "HTTP_X_USER") Judging from my above interpretation, CVE-2015-7519 should be mitigated by discarding all request headers with names containing other characters than alphanumeric and hyphen ("-"). This is my current understanding of the issue with out legacy Redmine system: - After applying the update of libapache2-mod-passenger to mitigate CVE-2015-7519, libactionpack-ruby1.8 fails to access either of parameters 'QUERY_STRING' and 'REQUEST_URI' - The above-mentioned parameters are retrieved from the Rack/Rails request environment "hash" - The Rails/Rack requests env. "hash"[L1] gets populated based on per-request environment variables received from Passenger - 'QUERY_STRING' and 'REQUEST_URI' are per-request env. variables describing the request passed on py Passenger - Both above-mentioned parameters are not prefixed by "HTTP_" and therefore not in scope of CVE-2015-7519 I am not sure whether REQUEST_URI and QUERY_STRING are actually passed as per-request env. variables by Passenger or added to the env hash by Rack/Rails. Still, this looks like a regression to me, since it removes previously available variables, which should not be in scope of CVE-2015-7519. Gruß, Linus [..] > > [1] https://security-tracker.debian.org/tracker/CVE-2015-7519 > [2] https://blog.phusion.nl/2015/12/07/cve-2015-7519/ > [3] > http://mail-archives.apache.org/mod_mbox/httpd-dev/201010.mbox/<201010121630.19406....@apache.org> > [L1]https://quickleft.com/blog/understanding-rack-apps-and-middleware/#the-environment-hash