cgi.rb vulnerability hotfix

I’ve constructed a hotfix for the cgi.rb vulnerability of yesterday.

what’s fixed?

Fixes an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string. The boundary searcher in the CGI module does not properly escape the user-supplied parameter and will execute arbitrary regular expressions. The fix adds escaping for the user data.

See the included test to see how the vulnerability works.

This is fix is cumulative with previous CGI multipart vulnerability fixes; see version 1.0.0 of the gem by Zed Shaw.

scope

Affected: standalone CGI, Mongrel, WEBrick
Unaffected: FastCGI
Unknown: mod_ruby

resources

Official vulnerability announcement, my original post, and this post.

license

Licensed under the same license as Ruby itself. Software contains the work of others.

3 responses

Luis Lavena says:

August 20, 2007 at 8:28 PM

Hi Evan,

Glad you update the hotfix for the new vulnerability, but why it depends on hoe 1.1.6?

Guess is a bit of overhead for just a hotfix.

Later,

Luis
evan says:

August 20, 2007 at 8:29 PM

I used Dr. Nic’s newgem generator to make the gem, and that uses hoe for the Rake tasks, and I can’t figure out how to get hoe to generate a gem that doesn’t have hoe itself as a dependency. I agree that it’s a little annoying.
evan says:

August 20, 2007 at 8:30 PM

Luis, fixed.

evan weaver

engineer/founder/investor