Date: Mon, 25 Jan 2016 11:35:37 -0800 From: Aaron Patterson <tenderlove@...y-lang.org> To: security@...e.de, rubyonrails-security@...glegroups.com, oss-security@...ts.openwall.com, ruby-security-ann@...glegroups.com Subject: [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer XSS vulnerability in rails-html-sanitizer There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`. This vulnerability has been assigned the CVE identifier CVE-2015-7579. Versions Affected: 1.0.2 Not affected: 1.0.0, 1.0.1 Fixed Versions: 1.0.3 Impact ------ Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's `strip_tags` these entities will be unescaped what may cause a XSS attack if used in combination with `raw` or `html_safe`. For example: strip_tags("<script>alert('XSS')</script>") Would generate: <script>alert('XSS')</script> After the fix it will generate: <script>alert('XSS')</script> All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- If you can't upgrade, please use the following monkey patch in an initializer that is loaded before your application: ``` $ cat config/initializers/strip_tags_fix.rb class ActionView::Base def strip_tags(html) self.class.full_sanitizer.sanitize(html) end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * Do-not-unescape-already-escaped-HTML-entities.patch Credits ------- Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for reporting the problem and working with us to fix it. -- Aaron Patterson http://tenderlovemaking.com/ View attachment "Do-not-unescape-already-escaped-HTML-entities.patch" of type "text/plain" (5012 bytes) Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.