As far as I understand the fix, the initializer to remove the XML
parser should do it.
Additionally, if you've set you project to parse yaml, there are these
instructions:
------
For 2.x apps, check whether your app sets
`ActionController::Base.param_parsers[Mime::YAML] = :yaml` and snip
that out if it does.
-------
The patch for 2.3 has this message:
--------
Hash.from_xml raises when it encounters type="symbol" or type="yaml".
Use Hash.from_trusted_xml to parse this XML. CVE-2013-0156 [Jeremy
Kemper]
--------
What that means is that if you are using XML parsing and you have a
type of symbol or yaml set, then your are vulnerable.
By removing the XML parser in your initializer (with
ActionController::Base.param_parsers.delete(Mime::XML) ), you should
be protected
On Fri, Jan 11, 2013 at 9:26 AM, Mark L. <marklockl...@gmail.com> wrote:
> Hey guys, hoping I can piggy back on this thread. I have a server that is
> running ruby 1.8.7, rails 2.3.14, and Radiant 0.9.1.
>
> I just wanted to confirm that I can do as Kevin and add
>
> ActionController::Base.param_parsers.delete(Mime::XML) to
> config/initializers, and this will negate the security issue.
>
> Also, just as an aside when I run...
>
> grep -r YAML . | grep parsers
>
> I get...
>
> ./vendor/radiant/vendor/rails/actionpack/lib/action_controller/base.rb: #
> ActionController::Base.param_parsers[Mime::YAML] = :yaml
> ./vendor/radiant/vendor/rails/actionpack/test/controller/webservice_test.rb:
> ActionController::Base.param_parsers[Mime::YAML] = Proc.new { |d|
> YAML.load(d) }
> ./vendor/radiant/vendor/rails/actionpack/test/controller/webservice_test.rb:
> ActionController::Base.param_parsers[Mime::YAML] = :yaml
> ./vendor/radiant/vendor/rails/actionpack/test/controller/webservice_test.rb:
> ActionController::Base.param_parsers[Mime::YAML] = :yaml
>
> No need to remove these lines from these files?
>
>
>
> On Thursday, January 10, 2013 9:19:26 AM UTC-5, Jim Gay wrote:
>>
>> You should be fine just putting that in your app initializers.
>>
>> On Wednesday, January 9, 2013 5:57:46 AM UTC-5, Kevin Triplett wrote:
>>>
>>> Or should that file go in
>>> radiant-0.9.1/vendor/rails/railties/configs/initializers ?
>>>
>>>
>>>
>>> On Wednesday, January 9, 2013 4:53:52 AM UTC-6, Kevin Triplett wrote:
>>>>
>>>> Yes, I saw that, thanks.
>>>>
>>>> Okay, here's what I did, please tell me if this will not work. :)
>>>>
>>>> Added new file in radiant-0.9.1/config/initializers called rails.rb with
>>>> this single line:
>>>>
>>>> ActionController::Base.param_parsers.delete(Mime::XML)
>>>>
>>>> Thanks for your help! :D
>>>>
>>>>
>>>> On Wednesday, January 9, 2013 4:42:04 AM UTC-6, Jim Gay wrote:
>>>>>
>>>>> Kevin,
>>>>>
>>>>> See the rails security post here with details about getting around this
>>>>> problem.
>>>>>
>>>>> https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
>>>>>
>>>>>
>>>>> On Wed, Jan 9, 2013 at 5:25 AM, Kevin Triplett <mopac...@gmail.com>
>>>>> wrote:
>>>>> > Hi Jim,
>>>>> >
>>>>> > What about us poor sods who are running 0.9 and unable to update
>>>>> > Radiant? :)
>>>>> >
>>>>> > Kevin
>>>>> >
>>>>> >
>>>>> > On Wednesday, January 9, 2013 4:01:45 AM UTC-6, Jim Gay wrote:
>>>>> >>
>>>>> >> Radiant no longer keeps vendor/rails in the gem. It's loaded by the
>>>>> >> Gemfile.
>>>>> >>
>>>>> >> I've just pushed Radiant 1.1.1 with a dependency on Rails 2.3.15
>>>>> >>
>>>>> >> Thanks for reporting this!
>>>>> >>
>>>>> >> On Wed, Jan 9, 2013 at 4:28 AM, Toine Diepstraten
>>>>> >> <toine.di...@googlemail.com> wrote:
>>>>> >> > Hi,
>>>>> >> >
>>>>> >> > an important security update for Rails 2.3 was released, read more
>>>>> >> > about
>>>>> >> > it
>>>>> >> > here:
>>>>> >> >
>>>>> >> >
>>>>> >> >
>>>>> >> > http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
>>>>> >> >
>>>>> >> >
>>>>> >> > As I understand Radiant uses a vendor Rails 2.3.14 version. How
>>>>> >> > can one
>>>>> >> > update Radiant to use the security fixed Rails 2.3.15 version?
>>>>> >> >
>>>>> >> > Thanks for any suggestions.
>>>>> >> >
>>>>> >> > Best,
>>>>> >> > Toine
>>>>> >> >
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> Write intention revealing code #=> http://www.clean-ruby.com
>>>>> >>
>>>>> >> Jim Gay
>>>>> >> Saturn Flyer LLC
>>>>> >> 571-403-0338
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Write intention revealing code #=> http://www.clean-ruby.com
>>>>>
>>>>> Jim Gay
>>>>> Saturn Flyer LLC
>>>>> 571-403-0338
--
Write intention revealing code #=> http://www.clean-ruby.com
Jim Gay
Saturn Flyer LLC
571-403-0338
