- 浏览: 2048177 次
- 性别:
- 来自: NYC
文章分类
- 全部博客 (628)
- Linux (53)
- RubyOnRails (294)
- HTML (8)
- 手册指南 (5)
- Mysql (14)
- PHP (3)
- Rails 汇总 (13)
- 读书 (22)
- plugin 插件介绍与应用 (12)
- Flex (2)
- Ruby技巧 (7)
- Gem包介绍 (1)
- javascript Jquery ext prototype (21)
- IT生活 (6)
- 小工具 (4)
- PHP 部署 drupal (1)
- javascript Jquery sort plugin 插件 (2)
- iphone siri ios (1)
- Ruby On Rails (106)
- 编程概念 (1)
- Unit Test (4)
- Ruby 1.9 (24)
- rake (1)
- Postgresql (6)
- ruby (5)
- respond_to? (1)
- method_missing (1)
- git (8)
- Rspec (1)
- ios (1)
- jquery (1)
- Sinatra (1)
最新评论
-
dadadada2x:
user模型里加上 protected def email ...
流行的权限管理 gem devise的定制 -
Sev7en_jun:
shrekting 写道var pattern = /^(0| ...
强悍的ip格式 正则表达式验证 -
jiasanshou:
好文章!!!
RPM包rpmbuild SPEC文件深度说明 -
寻得乐中乐:
link_to其实就是个a标签,使用css控制,添加一个参数: ...
Rails在link_to中加参数 -
aiafei0001:
完全看不懂,不知所然.能表达清楚一点?
"$ is not defined" 的问题怎么办
A security problem has been reported with the digest authentication code in Ruby on Rails. This vulnerability can allow users to bypass your password protection. This vulnerability has been publicly disclosed on several websites, users are advised to take the mitigating steps described below immediately.
The issue comes from the handling of the block passed to authenticate_or_request_with_http_digest. This block must return the user’s password in the clear, or a sha1 hash of the user’s password. Unfortunately the documentation was unclear on this and the examples cited would return nil if the user was not found. The correct behaviour if the user doesn’t exist is to return false.
If the return value was nil, rails proceeded to verify this value against the provided password. Because of this an attacker can provide an invalid username and no password and authentication will succeed.
Fixed Versions
We have altered the behaviour of the relevant code to make nil an authentication failure. This fix has been pushed to 2-3-stable and will be present in 2.3.3 due to be released in the next few days. All versions of edge rails after commit 1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0 contain the fix.
Steps to Protect your application.
Users can protect themselves without upgrading by simply ensuring that their authentication blocks never return nil. To take an example from the documentation:
Disclosure Notes
Due to communication difficulties and a mis-understanding between the reporter and the security team. This vulnerability has been publicly disclosed on several websites, users are advised to update their applications immediately. Steps are being taken to ensure that the security email is more reliable in the future. We regret the nature of this disclosure and will endeavor to ensure it doesn’t happen again in the future.
Nate Kontny of Inkling Markets has found a nasty security hole in the code example provided in both the documentation and blog post for the Digest Authentication functionality in Rails 2.3. If you've built your routine in a similar way to that as shown in the Rails documentation or blog post, you might be open to security issues.
Here's the code example in question:
Notice that authenticate uses the Users hash to authenticate the HTTP Digest Auth request? When you call hashes with non-existing keys, nil is returned. Luckily, Rails' digest authentication routines consider a response of nil as an authentication failure but if the password actually supplied is blank (ending up as nil), things don't quite work out as intended since nil == nil and you get right through the authentication!
Nate has written up a ton of info about this, including a test and a patch, and it's a must-read unless you're totally confident you have this covered already.
Worryingly, Nate claims that he has had little luck in raising this vulnerability with the Rails core team:
I've attempted to contact this security list and a couple members on the core team through their individual email accounts over a week ago. I've only received one response last Thursday that someone would look into it, but the issue seemed to die there.
Now that enough time has been given for the security list to look into the problem (and hopefully not ignore it), the best practice I thought would be to tell as many people as possible about it so the fix can be applied and publicized. I felt I'd get a lot bigger audience here at Hacker news than the rails bug tracker. The bigger the audience the more people that can get their Rails 2.3 instances fixed if they are effected and avoid a problem. I was also planning on posting it there, but feel free to do it as well.
The issue comes from the handling of the block passed to authenticate_or_request_with_http_digest. This block must return the user’s password in the clear, or a sha1 hash of the user’s password. Unfortunately the documentation was unclear on this and the examples cited would return nil if the user was not found. The correct behaviour if the user doesn’t exist is to return false.
If the return value was nil, rails proceeded to verify this value against the provided password. Because of this an attacker can provide an invalid username and no password and authentication will succeed.
Fixed Versions
We have altered the behaviour of the relevant code to make nil an authentication failure. This fix has been pushed to 2-3-stable and will be present in 2.3.3 due to be released in the next few days. All versions of edge rails after commit 1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0 contain the fix.
Steps to Protect your application.
Users can protect themselves without upgrading by simply ensuring that their authentication blocks never return nil. To take an example from the documentation:
authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] end Should instead be something like: authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] || false end
Disclosure Notes
Due to communication difficulties and a mis-understanding between the reporter and the security team. This vulnerability has been publicly disclosed on several websites, users are advised to update their applications immediately. Steps are being taken to ensure that the security email is more reliable in the future. We regret the nature of this disclosure and will endeavor to ensure it doesn’t happen again in the future.
Nate Kontny of Inkling Markets has found a nasty security hole in the code example provided in both the documentation and blog post for the Digest Authentication functionality in Rails 2.3. If you've built your routine in a similar way to that as shown in the Rails documentation or blog post, you might be open to security issues.
Here's the code example in question:
class PostsController < ApplicationController Users = {"dhh" => "secret"} before_filter :authenticate def index render :text => "You needed a password to see this…" end private def authenticate realm = "Application" authenticate_or_request_with_http_digest(realm) do |name| Users[name] end end end
Notice that authenticate uses the Users hash to authenticate the HTTP Digest Auth request? When you call hashes with non-existing keys, nil is returned. Luckily, Rails' digest authentication routines consider a response of nil as an authentication failure but if the password actually supplied is blank (ending up as nil), things don't quite work out as intended since nil == nil and you get right through the authentication!
Nate has written up a ton of info about this, including a test and a patch, and it's a must-read unless you're totally confident you have this covered already.
Worryingly, Nate claims that he has had little luck in raising this vulnerability with the Rails core team:
I've attempted to contact this security list and a couple members on the core team through their individual email accounts over a week ago. I've only received one response last Thursday that someone would look into it, but the issue seemed to die there.
Now that enough time has been given for the security list to look into the problem (and hopefully not ignore it), the best practice I thought would be to tell as many people as possible about it so the fix can be applied and publicized. I felt I'd get a lot bigger audience here at Hacker news than the rails bug tracker. The bigger the audience the more people that can get their Rails 2.3 instances fixed if they are effected and avoid a problem. I was also planning on posting it there, but feel free to do it as well.
发表评论
-
Destroying a Postgres DB on Heroku
2013-04-24 10:58 885heroku pg:reset DATABASE -
VIM ctags setup ack
2012-04-17 22:13 3212reference ctags --extra=+f --e ... -
alias_method_chain方法在3.1以后的替代使用方式
2012-02-04 02:14 3236alias_method_chain() 是rails里的一个 ... -
一些快速解决的问题
2012-01-19 12:35 1432问题如下: 引用Could not open library ... -
API service 安全问题
2011-12-04 08:47 1339这是一个长期关注的课题 rest api Service的 ... -
Module方法调用好不好
2011-11-20 01:58 1297以前说,用module给class加singleton方法,和 ... -
一个ajax和rails交互的例子
2011-11-19 01:53 1855首先,这里用了一个,query信息解析的包,如下 https: ... -
Rails 返回hash给javascript
2011-11-19 01:43 2233这是一个特别的,不太正统的需求, 因为,大部分时候,ajax的 ... -
关于Rubymine
2011-11-18 23:21 2223开个帖子收集有关使用上的问题 前一段时间,看到半价就买了。想 ... -
ruby中和javascript中,动态方法的创建
2011-11-18 21:01 1187class Klass def hello(*args) ... -
textmate快捷键 汇总
2011-11-16 07:20 8086TextMate 列编辑模式 按住 Alt 键,用鼠标选择要 ... -
Ruby面试系列六,面试继续面试
2011-11-15 05:55 1973刚才受到打击了,充分报漏了自己基础不扎实,不肯向虎炮等兄弟学习 ... -
说说sharding
2011-11-13 00:53 1431这个东西一面试就有人 ... -
rails面试碎碎念
2011-11-12 23:51 1894面试继续面试 又有问ru ... -
最通常的git push reject 和non-fast forward是因为
2011-11-12 23:29 17143git push To git@github.com:use ... -
Rails 自身的many to many关系 self has_many
2011-11-12 01:43 2675简单点的 #注意外键在person上people: id ... -
Rails 3下的 in place editor edit in place
2011-11-12 01:20 908第一个版本 http://code.google.com/p ... -
Heroku 的诡异问题集合
2011-11-11 07:22 1655开个Post记录,在用heroku过程中的一些诡异问题和要注意 ... -
SCSS 和 SASS 和 HAML 和CoffeeScript
2011-11-07 07:52 12898Asset Pipeline 提供了内建 ... -
Invalid gemspec because of the date format in specification
2011-11-07 02:14 2067又是这个date format的错误。 上次出错忘了,记录下 ...
相关推荐
rails 2.3 chm文档 官方最新版
rails guides的CHM版本,这个向导的版本是2.3
Ruby on Rails Guide:是rails官方教程,本人为了大家学习查阅的方便,制成chm格式。就如同java doc的chm格式一样方便。
原文在此http://guides.ruby-china.org/index.html 我只是把html拷贝到word里面罢了 然而只拷贝到了Rails 安全指南这一章,后面的太多就没拷贝了 初学者只需打印到368页即可
ruby on rails 2.3.5 api,自己留着用的,如果有人不知道怎么生成的话可以下载我生成的这个
rails 3.2 API 用webzip抓下来的最新的
NULL 博文链接:https://hlee.iteye.com/blog/587006
Brakeman是一个静态分析工具,可检查Ruby on Rails应用程序中的安全漏洞。 安装 使用RubyGems: gem install brakeman 使用Bundler: group :development do gem 'brakeman' end 使用Docker: docker pull ...
修复了查看程序脚本以下bug: 1、不能滚动滚动条,会自动回到原位 2、点击方法名时,程序出错
Brakeman 是一个用来分析基于 Ruby on Rails 框架开发的应用程序的静态分析安全漏洞扫描器。 标签:Brakeman
rails 2.3.2离线安装rails 2.3.2离线安装rails 2.3.2离线安装rails 2.3.2离线安装rails 2.3.2离线安装rails 2.3.2离线安装rails 2.3.2离线安装rails 2.3.2离线安装rails 2.3.2离线安装rails 2.3.2离线安装rails ...
This book is for web developers who are getting started with Rails and are looking for authentication solutions, as well as for Rails developers who are looking to extend their implementation of ...
[Pragmatic Bookshelf] Crafting Rails Applications Expert Practices for Everyday Rails Development (E-Book) ☆ 图书概要:☆ Rails 3 is a huge step forward. You can now easily extend the framework, ...
1. 引言 3 1.1. 术语 3 1.2. 参考文档 6 1.3. 安装环境 7 ...2.2. Rails安装 10 2.3. Mysql安装 10 2.3.1 Ruby下的mysql安装 10 2.3.2 Mysql数据库安装 10 2.4. Redmine安装 12 2.5. Apache安装 14 3. 问题列表 17
所有必需的信息都可以在Wiki上找到: 如有疑问,请使用i18_routing谷歌论坛: 适用于Rails 2.3、3.0、3.1和3.2下一个版本的TODO(写于2010年6月9日) 处理同一资源名称的多个翻译(例如:嵌套和非嵌套资源) 处理...
Ruby on Rails Guides v2 - Ruby on Rails 4.2.5
Ruby三神书之一(其余的两本是Agile.Web.Development.with.Rails和Ruby For Rails,在我的资源列表也有) Rails is large, powerful, and new. How do you use it effectively? How do you harness the power? And, ...
This book covers Postgres 9.5, Rails 5, and Ruby 2.3. You should have some experience with basic Rails concepts and a cursory understanding of JavaScript, CSS, and SQL, but by no means need to be an ...