Fix for SQL injection on :limit and :offset should be backported
Reported by Jon Leighton | September 3rd, 2008 @ 03:51 PM | in 2.0.3
The fix in #288 is a serious security vulnerability and should be backported to all stable branches.
Comments and changes to this ticket
-
-
-
Jon Leighton September 3rd, 2008 @ 04:08 PM
More info about the problem on this blog post: http://blog.innerewut.de/2008/6/...
The facts we have:
- The problem is fixed in the abstract adapter for 2.1.0
- The problem is not fixed for the 2.0 or 1.2 branches
- The problem is not fixed for the mysql adapter for 2.1.0, but will be fixed when 2.1.1 is released. This is not such a huge issue as mysql stops more than one query being sent at once
So basically it's not a huge issue that the mysql adapter fix hasn't been released for the 2.1 branch, but no fix at all has been released for the other branches and so they are both vulnerable.
-
Jeremy Kemper September 3rd, 2008 @ 10:22 PM
- → State changed from “new” to “open”
- → Milestone changed from “2.x” to “2.0.3”
- → Assigned user changed from “” to “Jeremy Kemper”
We surveyed folks a while back. Pretty much nobody is affected by this. I agree it's backport-worthy, but it's not a crisis.
Care to backport it?
-
Jon Leighton September 4th, 2008 @ 07:41 AM
What's the criteria for a security issue being considered a "priority"? I run with postgres on the 2.0 branch, which means my application would be vulnerable if we were using user-specified offset/limit. Granted a very small number of people run postgres/sqlite compared to mysql, and presumably a smaller number still allow the user to specify limit/offset, but it seems this could affect somebody, and would be quite serious for them if they were targeted.
Anyway, I'd be happy to backport it, will report back with a patch.
-
Please Login or create a free account to add a new comment.
You can update this ticket by sending an email to from your email client. (help)
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Source available from github
The Git repository resides at http://github.com/rails
Check out the current development trunk (Edge Rails) with:
git clone git://github.com/rails/rails.git
Creating or reviewing a patch
See the contributor guide.
Creating a feature request
Please don't. If you want a new feature in Rails, you'll have to pull up your sleeves and get busy yourself. Or convince someone else to do it. See the contributor guide on how to get going. But posting them here is just going to lead to ticket root.
Creating a bug report
When creating a bug report, be sure to include as much relevant information as possible. Post the code sample that causes the problem. Preferably, alter the unit tests and show through either changed or added tests how the expected behavior is not occuring.
Security vulnerabilities should be reported via an email to security@rubyonrails.org, do not use trac for reporting security vulnerabilities. All content in trac is publicly available as soon as it is posted.
Then don't get your hopes up. Unless you have a "Code Red, Mission Critical, The World is Coming to an End" kinda bug, you're creating this ticket in the hope that others with the same problem will be able to collaborate with you on solving it. Do not expect that the ticket automatically will see any activity or that others will jump to fix it. Creating a ticket like this is mostly to help yourself start on the path of fixing the problem and for others to sign on to with a "I'm having this problem too".
