My Photo
I've been Twittering
The U.S. Navy reading list

Tom Copeland's Recent Posts

RSS Feeds

All/ Java/ Ruby/ PostgreSQL/ General

« What gem namespaces does that RubyForge project own? | Main | The rubyforge gem and the RubyForge REST API »

Applying the Rails XSS vulnerability patch

I'm probably making this harder than it should be... but if so, the Internet will correct me :-)

Anyhow, I wanted to apply the Rails XSS vulnerability patch on a machine that was running Rails 2.3.2. The gems weren't frozen to the app, though, they were just out there in /usr/local/lib/ruby/gems/1.8/gems/.

I moved over to the gems directory and tried to apply the patch, but I got the "which file do you want to apply the patch to" message. It makes sense; the patch wants to make the change to (for example) activesupport/lib/active_support/multibyte.rb and all the gem directories have the version numbers attached - e.g., activesupport-2.3.2. I was getting ready to kind of pick the patch apart but then thought "hold on, symlinks!" So I did this:

$ cd /usr/local/lib/ruby/gems/1.8/gems/
$ sudo ln -s activesupport-2.3.2 activesupport
$ sudo ln -s actionpack-2.3.2 actionpack
$ sudo patch -p1 < /home/tom/2-3-CVE-2009-3009.patch
patching file activesupport/lib/active_support/multibyte.rb
patching file activesupport/lib/active_support/multibyte/chars.rb
Hunk #2 succeeded at 283 (offset -15 lines).
Hunk #4 succeeded at 622 (offset -15 lines).
patching file activesupport/lib/active_support/multibyte/utils.rb
patching file activesupport/test/multibyte_utils_test.rb
patching file actionpack/lib/action_view/helpers/tag_helper.rb
$ sudo rm -f actionpack
$ sudo rm -f activesupport

Restart the app, and huzzah! All's well.

September 04, 2009 in Ruby |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451d3c069e20120a549bb15970b

Listed below are links to weblogs that reference Applying the Rails XSS vulnerability patch:

Comments

This made applying the patch much easier. Thank you!

Posted by: Andy Stewart | September 05, 2009 at 11:56 AM

Thanks you very much :)

Posted by: Fabian Ramirez | September 07, 2009 at 12:18 PM

Thanks Tom, good thinking.

Posted by: Craig Bruenderman | September 08, 2009 at 05:30 PM

don't know if the patch is malformed, anyway i followed your exact procedure, it works for 2.2, but when i try to patch 2.3 always keeps asking me witch file to patch... what am i doing wrong? anyway thanks for your guidelines.

Posted by: yortz | September 14, 2009 at 10:58 AM

sorry my fault... now it works like a charm, thanks again

Posted by: yortz | September 14, 2009 at 11:20 AM

@yortz, @craig, @fabian, @andy, no problem, glad it helped!

Posted by: tomcopeland | September 14, 2009 at 05:15 PM

Thanks Tom! Nice to see someone come through with a concise way to knock that out, especially with all of the 2.3.4 upgrade issues.

Posted by: Chris M | September 16, 2009 at 05:10 PM

The comments to this entry are closed.