• Diego de Araújo Martinez Camarinha's avatar
    Do not use open-uri to fetch encoded content for paperclip · 3e4af691
    Diego de Araújo Martinez Camarinha authored
    OpenURI module introduces several vulnerabilities. In short, it accepts
    any string and calls Kernel#open. Because ruby executes commands if it
    starts with a pipe, an attacker could pass strings like '|ls' or '|cat
    /etc/passwd'. In other words, an attacker could execute any script.
    More info here: http://sakurity.com/blog/2015/02/28/openuri.html
    Now, we use URI#parse to fetch the URI and let paperclip make its magic
    to fetch the encoded content and store it. Although paperclip uses
    OpenURI too (UriAdapater class), it tries to create a valid URI from the
    string (HttpUrlProxyAdapter class). If the string does not conform with
    rules defined on RFC2396, it will raise an exception. That should be
    enough to mitigate the attacks mentioned (paperclip also raises errors
    if it cannot access the URI).
    Of course, if Ruby's implementation of RFC2396 has security issues, we
    are still vulnerable (I don't think that's the case).
    Signed-off-by: marcheing's avatarHeitor Reis <marcheing@gmail.com>
Last commit
Last update
assets Loading commit data...
channels/application_cable Loading commit data...
controllers Loading commit data...
helpers Loading commit data...
jobs Loading commit data...
mailers Loading commit data...
models Loading commit data...
views Loading commit data...