oss-sec mailing list archives

Re: CVE for ruby on rails XSS fixes

From: Josh Bressers <bressers () redhat com>
Date: Wed, 6 Apr 2011 13:47:53 -0400 (EDT)

----- Original Message -----

Hi,

Can someone assign a CVE for the XSS issue described in

https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG


Here is the changelog text:

*Rails 3.0.6 (April 5, 2011)

* Fixed XSS vulnerability in `auto_link`.  `auto_link` no longer marks
  input as html safe.  Please make sure that calls to auto_link() are
  wrapped in a sanitize(), or a raw() depending on the type of input passed
  to auto_link().
  For example:

    <%= sanitize(auto_link(some_user_input)) %>

  Thanks to Torben Schulz for reporting this.  The fix can be found here:
  61ee3449674c591747db95f9b3472c5c3bd9e84d

Use CVE-2011-1497

Thanks.

-- 
    JB

Current thread:

CVE for ruby on rails XSS fixes Sebastian Krahmer (Apr 06)
- Re: CVE for ruby on rails XSS fixes Josh Bressers (Apr 06)