My Photo
I've been Twittering
The U.S. Navy reading list

Tom Copeland's Recent Posts

RSS Feeds

All/ Java/ Ruby/ PostgreSQL/ General

« What gem namespaces does that RubyForge project own? | Main | The rubyforge gem and the RubyForge REST API »

Applying the Rails XSS vulnerability patch

I'm probably making this harder than it should be... but if so, the Internet will correct me :-)

Anyhow, I wanted to apply the Rails XSS vulnerability patch on a machine that was running Rails 2.3.2. The gems weren't frozen to the app, though, they were just out there in /usr/local/lib/ruby/gems/1.8/gems/.

I moved over to the gems directory and tried to apply the patch, but I got the "which file do you want to apply the patch to" message. It makes sense; the patch wants to make the change to (for example) activesupport/lib/active_support/multibyte.rb and all the gem directories have the version numbers attached - e.g., activesupport-2.3.2. I was getting ready to kind of pick the patch apart but then thought "hold on, symlinks!" So I did this:

$ cd /usr/local/lib/ruby/gems/1.8/gems/
$ sudo ln -s activesupport-2.3.2 activesupport
$ sudo ln -s actionpack-2.3.2 actionpack
$ sudo patch -p1 < /home/tom/2-3-CVE-2009-3009.patch
patching file activesupport/lib/active_support/multibyte.rb
patching file activesupport/lib/active_support/multibyte/chars.rb
Hunk #2 succeeded at 283 (offset -15 lines).
Hunk #4 succeeded at 622 (offset -15 lines).
patching file activesupport/lib/active_support/multibyte/utils.rb
patching file activesupport/test/multibyte_utils_test.rb
patching file actionpack/lib/action_view/helpers/tag_helper.rb
$ sudo rm -f actionpack
$ sudo rm -f activesupport

Restart the app, and huzzah! All's well.

September 04, 2009 in Ruby |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451d3c069e20120a549bb15970b

Listed below are links to weblogs that reference Applying the Rails XSS vulnerability patch:

Comments

This made applying the patch much easier. Thank you!

Posted by: Andy Stewart | September 05, 2009 at 11:56 AM

Thanks you very much :)

Posted by: Fabian Ramirez | September 07, 2009 at 12:18 PM

Thanks Tom, good thinking.

Posted by: Craig Bruenderman | September 08, 2009 at 05:30 PM

don't know if the patch is malformed, anyway i followed your exact procedure, it works for 2.2, but when i try to patch 2.3 always keeps asking me witch file to patch... what am i doing wrong? anyway thanks for your guidelines.

Posted by: yortz | September 14, 2009 at 10:58 AM

sorry my fault... now it works like a charm, thanks again

Posted by: yortz | September 14, 2009 at 11:20 AM

@yortz, @craig, @fabian, @andy, no problem, glad it helped!

Posted by: tomcopeland | September 14, 2009 at 05:15 PM

Thanks Tom! Nice to see someone come through with a concise way to knock that out, especially with all of the 2.3.4 upgrade issues.

Posted by: Chris M | September 16, 2009 at 05:10 PM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.