Sheldon Hearn wrote:
It's possible that no backporting is required for sid, because
rails-1.2.4 has been released:
http://weblog.rubyonrails.com/2007/10/5/rails-1-2-4-maintenance-release
Ha, just as I took the time yesterday to complete the backport to Sid :)
So that would leave etch the only target, and I'm not even sure if
rails-1.1.6 had json support.
It does. But there is another issue that is XSS problematic.
http://dev.rubyonrails.org/ticket/8877
Without this patch, it is possible to inject code under some
circumstances. The patch is a giant and difficult to get into Sid. The
to_json patch is very simple in comparison.
To further complicate the problem, upstream is not really
security-centered. They established a security mailing list to inform
people about patches, but no posts even though there is a problem of
to_json and the above XSS. There was also a DoS attack possible (send
badly formatted XML and rails uses all CPU time) but that was caused on
a ruby library side..
So that just leaves lenny, and it might be quicker just to wait the 10
days for it to be promoted from sid to lenny, than to do the work of
backporting the XSS fix to 1.2.3.
Lenny doesn't matter right now as part of security. This is not a remote
code execution hence foot-dragging on my part. It is only a XSS that is
specific to usage of some code in rails. There are ways a web
application can treat all input data and sanitize it without relying on
rails/ruby to do it with magic functions.
I'll upload 1.2.4 into Sid later today.
- Adam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
