[CVE-2014-0130] Directory Traversal Vulnerability With Certain Route Configurations

[Rafael Mendonça França <rafaelmfranca () gmail com>]

There is a vulnerability in the 'implicit render' functionality in Ruby on Rails. This vulnerability has been assigned 
the CVE identifier CVE-2014-0130.

Versions Affected:  All Supported
Not affected:       None
Fixed Versions:     4.1.1, 4.0.5, 3.2.18

Impact
------
The implicit render functionality allows controllers to render a template, even if there is no explicit action with the 
corresponding name.  This module does not perform adequate input sanitization which could allow an attacker to use a 
specially crafted request to retrieve arbitrary files from the rails application server.

In order to be vulnerable an application must specifically use globbing routes[1] in combination with the :action 
parameter.  The purpose of the route globbing feature is to allow parameters to contain characters which would 
otherwise be regarded as separators, for example '/' and '.'.  As these characters have semantic meaning within 
template filenames, it is highly unlikely that applications are deliberately combining these functions.

To determine if you are vulnerable, search your application's routes files for '*action' and if you find any, use one 
of the work arounds below.

Releases
--------
The 4.1.1, 4.0.5 and 3.2.18 releases are available at the normal locations.

Workarounds
-----------
The simplest workaround is to simply not use globbing matches for the :action parameter.  As action methods cannot 
contain a '/' character, the simple matching should be sufficient. So replace

  get 'my_url/*action', controller: 'asdf'

with

  get 'my_url/:action', controller: 'asdf'

If your application depends on this functionality, you will need to rename the route parameter and add an explicit 
action:

  get 'my_url/*template_path', controller: 'asdf', action: 'display'

Then add an action which renders explicitly:

  def display
    if !params[:template_path].index('.')
      render file: params[:template_path]
    end
  end

Note: The path check in this example may not be suitable for your application, take care


Patches 
------- 
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  
They are in git-am format and consist of a single changeset. 

* 4-1-directory_traversal.patch - Patch for 4.1 series
* 4-0-directory_traversal.patch - Patch for 4.0 series
* 3-2-directory_traversal.patch - Patch for 3.2 series

Please note that only the 4.1.x, 4.0.x and 3.2.x series are supported at present.  Users of earlier unsupported 
releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes 
for unsupported releases.

Credits 
------- 
Thanks to Ville Lautanala of Flowdock for reporting the vulnerability to us, and working with us on a fix.

[1] http://guides.rubyonrails.org/routing.html#route-globbing-and-wildcard-segments

Attachment: 3-2-directory_traversal.patch
Description:

Attachment: 4-0-directory_traversal.patch
Description:

Attachment: 4-1-directory_traversal.patch
Description: