Rails 1.1.6: The saga continues

Rails 1.1.6, backports, and full disclosure.

With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails. This means that you can essentially take down a Rails process by starting something like /script/profiler, as the code will run for a long time and that process will be hung while it happens. Other URLs can even cause data loss.

Update via the following (since the gem server is supposedly getting hammered):

sudo gem install rails --source http://gems.rubyonrails.org --include-dependencies

Further information on the effected rails versions and server combo’s is also available.

This is turning into a bit of a nightmare now, especially as the patch breaks the Rails engines. I’ve had to resort to the lighty URL rewrite rule.

url.rewrite-once = ( "^/(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/" => "index.html" )

Another bad day for Rails.

Update: Anantomy of an attack against Rails 1.1.4