I'm probably making this harder than it should be... but if so, the Internet will correct me :-)
Anyhow, I wanted to apply the Rails XSS vulnerability patch on a machine that was running Rails 2.3.2. The gems weren't frozen to the app, though, they were just out there in
I moved over to the
gems directory and tried to apply the patch, but I got the "which file do you want to apply the patch to" message. It makes sense; the patch wants to make the change to (for example)
activesupport/lib/active_support/multibyte.rb and all the gem directories have the version numbers attached - e.g.,
activesupport-2.3.2. I was getting ready to kind of pick the patch apart but then thought "hold on, symlinks!" So I did this:
$ cd /usr/local/lib/ruby/gems/1.8/gems/ $ sudo ln -s activesupport-2.3.2 activesupport $ sudo ln -s actionpack-2.3.2 actionpack $ sudo patch -p1 < /home/tom/2-3-CVE-2009-3009.patch patching file activesupport/lib/active_support/multibyte.rb patching file activesupport/lib/active_support/multibyte/chars.rb Hunk #2 succeeded at 283 (offset -15 lines). Hunk #4 succeeded at 622 (offset -15 lines). patching file activesupport/lib/active_support/multibyte/utils.rb patching file activesupport/test/multibyte_utils_test.rb patching file actionpack/lib/action_view/helpers/tag_helper.rb $ sudo rm -f actionpack $ sudo rm -f activesupport
Restart the app, and huzzah! All's well.