Hey guys, hoping I can piggy back on this thread. I have a server that is running ruby 1.8.7, rails 2.3.14, and Radiant 0.9.1.
I just wanted to confirm that I can do as Kevin and add ActionController::Base.param_parsers.delete(Mime::XML) to config/initializers, and this will negate the security issue. Also, just as an aside when I run... grep -r YAML . | grep parsers I get... ./vendor/radiant/vendor/rails/actionpack/lib/action_controller/base.rb: # ActionController::Base.param_parsers[Mime::YAML] = :yaml ./vendor/radiant/vendor/rails/actionpack/test/controller/webservice_test.rb: ActionController::Base.param_parsers[Mime::YAML] = Proc.new { |d| YAML.load(d) } ./vendor/radiant/vendor/rails/actionpack/test/controller/webservice_test.rb: ActionController::Base.param_parsers[Mime::YAML] = :yaml ./vendor/radiant/vendor/rails/actionpack/test/controller/webservice_test.rb: ActionController::Base.param_parsers[Mime::YAML] = :yaml No need to remove these lines from these files? On Thursday, January 10, 2013 9:19:26 AM UTC-5, Jim Gay wrote: > > You should be fine just putting that in your app initializers. > > On Wednesday, January 9, 2013 5:57:46 AM UTC-5, Kevin Triplett wrote: >> >> Or should that file go in >> radiant-0.9.1/vendor/rails/railties/configs/initializers ? >> >> >> >> On Wednesday, January 9, 2013 4:53:52 AM UTC-6, Kevin Triplett wrote: >>> >>> Yes, I saw that, thanks. >>> >>> Okay, here's what I did, please tell me if this will not work. :) >>> >>> Added new file in radiant-0.9.1/config/initializers called rails.rb with >>> this single line: >>> >>> ActionController::Base.param_parsers.delete(Mime::XML) >>> >>> Thanks for your help! :D >>> >>> >>> On Wednesday, January 9, 2013 4:42:04 AM UTC-6, Jim Gay wrote: >>>> >>>> Kevin, >>>> >>>> See the rails security post here with details about getting around this >>>> problem. >>>> >>>> https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion >>>> >>>> >>>> >>>> On Wed, Jan 9, 2013 at 5:25 AM, Kevin Triplett <mopac...@gmail.com> >>>> wrote: >>>> > Hi Jim, >>>> > >>>> > What about us poor sods who are running 0.9 and unable to update >>>> Radiant? :) >>>> > >>>> > Kevin >>>> > >>>> > >>>> > On Wednesday, January 9, 2013 4:01:45 AM UTC-6, Jim Gay wrote: >>>> >> >>>> >> Radiant no longer keeps vendor/rails in the gem. It's loaded by the >>>> >> Gemfile. >>>> >> >>>> >> I've just pushed Radiant 1.1.1 with a dependency on Rails 2.3.15 >>>> >> >>>> >> Thanks for reporting this! >>>> >> >>>> >> On Wed, Jan 9, 2013 at 4:28 AM, Toine Diepstraten >>>> >> <toine.di...@googlemail.com> wrote: >>>> >> > Hi, >>>> >> > >>>> >> > an important security update for Rails 2.3 was released, read more >>>> about >>>> >> > it >>>> >> > here: >>>> >> > >>>> >> > >>>> >> > >>>> http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/ >>>> >>>> >> > >>>> >> > >>>> >> > As I understand Radiant uses a vendor Rails 2.3.14 version. How >>>> can one >>>> >> > update Radiant to use the security fixed Rails 2.3.15 version? >>>> >> > >>>> >> > Thanks for any suggestions. >>>> >> > >>>> >> > Best, >>>> >> > Toine >>>> >> > >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> Write intention revealing code #=> http://www.clean-ruby.com >>>> >> >>>> >> Jim Gay >>>> >> Saturn Flyer LLC >>>> >> 571-403-0338 >>>> >>>> >>>> >>>> -- >>>> Write intention revealing code #=> http://www.clean-ruby.com >>>> >>>> Jim Gay >>>> Saturn Flyer LLC >>>> 571-403-0338 >>>> >>>