Author Archives: admin
This Deal’s Getting Worse All The Time
Rails Security Alert – 2014-05-06
Wildcard routes.
There is a vulnerability in the ‘implicit render’ functionality in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0130.
Versions Affected: All Supported
Not affected: None
Fixed Versions: 4.1.1, 4.0.5, 3.2.18Impact
——
The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.In order to be vulnerable an application must specifically use globbing routes[1] in combination with the :action parameter. The purpose of the route globbing feature is to allow parameters to contain characters which would otherwise be regarded as separators, for example ‘/’ and ‘.’. As these characters have semantic meaning within template filenames, it is highly unlikely that applications are deliberately combining these functions.
To determine if you are vulnerable, search your application’s routes files for ‘*action’ and if you find any, use one of the work arounds below.
Releases
——–
The 4.1.1, 4.0.5 and 3.2.18 releases are available at the normal locations.Workarounds
———–
The simplest workaround is to simply not use globbing matches for the :action parameter. As action methods cannot contain a ‘/’ character, the simple matching should be sufficient. So replaceget ‘my_url/*action’, controller: ‘asdf’
with
get ‘my_url/:action’, controller: ‘asdf’
If your application depends on this functionality, you will need to rename the route parameter and add an explicit action:
get ‘my_url/*template_path’, controller: ‘asdf’, action: ‘display’
Then add an action which renders explicitly:
def display
if !params[:template_path].index(‘.’)
render file: params[:template_path]
end
endNote: The path check in this example may not be suitable for your application, take care
Patches
——-
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.* 4-1-directory_traversal.patch – Patch for 4.1 series
* 4-0-directory_traversal.patch – Patch for 4.0 series
* 3-2-directory_traversal.patch – Patch for 3.2 seriesPlease note that only the 4.1.x, 4.0.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
——-
Thanks to Ville Lautanala of Flowdock for reporting the vulnerability to us, and working with us on a fix.[1] http://guides.rubyonrails.org/routing.html#route-globbing-and-wildcard-segments
Daily Vitamin #15 – iOS Web Server, Ubuntu 14.04LTS
Lightweight GCD based HTTP server for OS X & iOS (includes web based uploader & WebDAV server)
GCDWebServer was originally written for the ComicFlow comic reader app for iPad. It allow users to connect to their iPad with their web browser over WiFi and then upload, download and organize comic files inside the app.
Ubuntu 14.04LTS – New LTS, desktop looks lot more like Mac OS X, which means it’s friendlier to use.
App Business – Marco Arment’s Talk at XOXO
Tips for Starting Haskell
I began recording a series of Haskell screencasts, but as always, had to move all my focus aways from anything personal due to work. Rather than throwing the notes away, I’ll post some of them here as I go through my spring cleaning.
Below are the links I was going to mention in the screencast.
To install Haskell on your Mac, use Homebrew by following these steps:
$ brew update
$ brew install haskell-platform
$ echo 'export PATH=~/.cabal/bin:$PATH' >> ~/.zshrc
$ cabal update
Please be advised that I use zsh, so that’s why the third step is .zshrc. If you use bash, then change that to .bashrc or .profile.
To verify that the installation, start ghci.
cabal is a package manager for the platform. Test the cabal by installing pandoc (since it’s an essential tool, right?) for documentation since we all LOVE documentation. 😉
$ cabal install pandoc
BTSync – Better Alternative to Dropbox
Although I still think that Dropbox is a great service, I just didn’t like the limitation and uneasy feeling of having my files sitting on someone else’s server. That’s why when BTSync came out, I decided to give it a try and it’s been a year since I switched and thought it was about time I gave my thoughts.
I won’t go into technical details here, but it’s not any insecure than other services. You can find more about it at https://www.bittorrent.com/sync
Things I Like
1. The file syncs lot faster between my computers.
2. Works without making me think about it.
3. The files are on my machines and on my server with a web UI. See below.
4. Free!!!
5. Automatically syncs anywhere.
6. Did I mention it’s FAST?
7. Super easy to set up.
From Security Now
Final Thoughts
Don’t let the “beta” fool you. I’ve been using this for over a year and didn’t even know that this was still in beta. It’s lot better than Dropbox since it also keeps versions for you just in case you make the mistake of deleting files. I personally believe that BTSync IS the Dropbox killer. I have yet to find anything that would make me think that Dropbox is a better product.
Developer’s Life
Something Interesting From My Past – MSDN
Cocoa’s Nil Behavior to Ruby
As you may or may not know, when you send a message to nil in Cocoa, it doesn’t do anything and certainly doesn’t raise any exception. You may or may not agree with the design, but we’ve all programmed just fine with this fact.
Having said that, what if you wanted the same behavior in Ruby?
NilClass.class_eval { define_method(:method_missing) {|*args| self} }
Is this a good idea?
* this is a code joke, please don’t take it too seriously