I’ve constructed a hotfix for the
cgi.rb vulnerability of yesterday.
Fixes an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string. The boundary searcher in the CGI module does not properly escape the user-supplied parameter and will execute arbitrary regular expressions. The fix adds escaping for the user data.
See the included test to see how the vulnerability works.
This is fix is cumulative with previous CGI multipart vulnerability fixes; see version 1.0.0 of the gem by Zed Shaw.
- Affected: standalone CGI, Mongrel, WEBrick
- Unaffected: FastCGI
- Unknown: mod_ruby
Licensed under the same license as Ruby itself. Software contains the work of others.