Hey guys, hoping I can piggy back on this thread. I have a server that is
running ruby 1.8.7, rails 2.3.14, and Radiant 0.9.1.
I just wanted to confirm that I can do as Kevin and add
ActionController::Base.param_parsers.delete(Mime::XML) to
config/initializers, and this will negate the security issue.
Also, just as an aside when I run...
grep -r YAML . | grep parsers
I get...
./vendor/radiant/vendor/rails/actionpack/lib/action_controller/base.rb:
# ActionController::Base.param_parsers[Mime::YAML] = :yaml
./vendor/radiant/vendor/rails/actionpack/test/controller/webservice_test.rb:
ActionController::Base.param_parsers[Mime::YAML] = Proc.new { |d|
YAML.load(d) }
./vendor/radiant/vendor/rails/actionpack/test/controller/webservice_test.rb:
ActionController::Base.param_parsers[Mime::YAML] = :yaml
./vendor/radiant/vendor/rails/actionpack/test/controller/webservice_test.rb:
ActionController::Base.param_parsers[Mime::YAML] = :yaml
No need to remove these lines from these files?
On Thursday, January 10, 2013 9:19:26 AM UTC-5, Jim Gay wrote:
>
> You should be fine just putting that in your app initializers.
>
> On Wednesday, January 9, 2013 5:57:46 AM UTC-5, Kevin Triplett wrote:
>>
>> Or should that file go in
>> radiant-0.9.1/vendor/rails/railties/configs/initializers ?
>>
>>
>>
>> On Wednesday, January 9, 2013 4:53:52 AM UTC-6, Kevin Triplett wrote:
>>>
>>> Yes, I saw that, thanks.
>>>
>>> Okay, here's what I did, please tell me if this will not work. :)
>>>
>>> Added new file in radiant-0.9.1/config/initializers called rails.rb with
>>> this single line:
>>>
>>> ActionController::Base.param_parsers.delete(Mime::XML)
>>>
>>> Thanks for your help! :D
>>>
>>>
>>> On Wednesday, January 9, 2013 4:42:04 AM UTC-6, Jim Gay wrote:
>>>>
>>>> Kevin,
>>>>
>>>> See the rails security post here with details about getting around this
>>>> problem.
>>>>
>>>> https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
>>>>
>>>>
>>>>
>>>> On Wed, Jan 9, 2013 at 5:25 AM, Kevin Triplett <mopac...@gmail.com>
>>>> wrote:
>>>> > Hi Jim,
>>>> >
>>>> > What about us poor sods who are running 0.9 and unable to update
>>>> Radiant? :)
>>>> >
>>>> > Kevin
>>>> >
>>>> >
>>>> > On Wednesday, January 9, 2013 4:01:45 AM UTC-6, Jim Gay wrote:
>>>> >>
>>>> >> Radiant no longer keeps vendor/rails in the gem. It's loaded by the
>>>> >> Gemfile.
>>>> >>
>>>> >> I've just pushed Radiant 1.1.1 with a dependency on Rails 2.3.15
>>>> >>
>>>> >> Thanks for reporting this!
>>>> >>
>>>> >> On Wed, Jan 9, 2013 at 4:28 AM, Toine Diepstraten
>>>> >> <toine.di...@googlemail.com> wrote:
>>>> >> > Hi,
>>>> >> >
>>>> >> > an important security update for Rails 2.3 was released, read more
>>>> about
>>>> >> > it
>>>> >> > here:
>>>> >> >
>>>> >> >
>>>> >> >
>>>> http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
>>>>
>>>> >> >
>>>> >> >
>>>> >> > As I understand Radiant uses a vendor Rails 2.3.14 version. How
>>>> can one
>>>> >> > update Radiant to use the security fixed Rails 2.3.15 version?
>>>> >> >
>>>> >> > Thanks for any suggestions.
>>>> >> >
>>>> >> > Best,
>>>> >> > Toine
>>>> >> >
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Write intention revealing code #=> http://www.clean-ruby.com
>>>> >>
>>>> >> Jim Gay
>>>> >> Saturn Flyer LLC
>>>> >> 571-403-0338
>>>>
>>>>
>>>>
>>>> --
>>>> Write intention revealing code #=> http://www.clean-ruby.com
>>>>
>>>> Jim Gay
>>>> Saturn Flyer LLC
>>>> 571-403-0338
>>>>
>>>
