Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails

[Christopher Dell <chris () tigrish com>]

Hello everyone,

Just to clarify I18n.enforce_available_locales quickly, when I18n initialises, it creates an array of the known locales 
called I18n.available_locales.
Typically, this array is created by scanning for YML files (in config/locales for a Rails app).
With I8n.enforce_available_locales set to true, we check that the locale we're trying to use (eg. translate or 
localize) is included in the available_locales. This means we're certain it can't be malicious user submitted data even 
outside of the scope of a Rails app.

I could really use a hand with the CVE announcements, I literally have no idea about any of this!

Cheers,

-- Chris

PS. Including Sven's correct email address.

On Dec 3, 2013, at 22:54 PM, Kurt Seifried <kseifried () redhat com> wrote:

> Signed PGP part
> On 12/03/2013 02:32 PM, kpolitowicz () nimonik ca wrote:
> > Thanks. But what's the deal with I18n.enforce_available_locales ?
>
> That's a good question, the technical side of which I would point you at:
>
> http://rubygems.org/gems/i18n
>
> The latest release fixes security stuff, however they don't do CVE
> announcements/ChangeLog anywhere I can see. Adding them to this email
> CC. Guys, if you need help drafting a security announcements I'd be
> glad to help.
>
> --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail