oss-sec mailing list archives
Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
From: Christopher Dell <chris () tigrish com>
Date: Thu, 5 Dec 2013 18:15:36 +0100
Hello everyone, Just to clarify I18n.enforce_available_locales quickly, when I18n initialises, it creates an array of the known locales called I18n.available_locales. Typically, this array is created by scanning for YML files (in config/locales for a Rails app). With I8n.enforce_available_locales set to true, we check that the locale we're trying to use (eg. translate or localize) is included in the available_locales. This means we're certain it can't be malicious user submitted data even outside of the scope of a Rails app. I could really use a hand with the CVE announcements, I literally have no idea about any of this! Cheers, -- Chris PS. Including Sven's correct email address. On Dec 3, 2013, at 22:54 PM, Kurt Seifried <kseifried () redhat com> wrote:
Signed PGP part On 12/03/2013 02:32 PM, kpolitowicz () nimonik ca wrote:Thanks. But what's the deal with I18n.enforce_available_locales ?That's a good question, the technical side of which I would point you at: http://rubygems.org/gems/i18n The latest release fixes security stuff, however they don't do CVE announcements/ChangeLog anywhere I can see. Adding them to this email CC. Guys, if you need help drafting a security announcements I'd be glad to help. -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Aaron Patterson (Dec 03)
- Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails kpolitowicz (Dec 03)
- Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Kurt Seifried (Dec 03)
- Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Christopher Dell (Dec 05)
- Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Kurt Seifried (Dec 05)
- Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Kurt Seifried (Dec 03)
- Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails kpolitowicz (Dec 03)
- Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails chris (Dec 05)
- Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails nick (Dec 22)
- Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Solar Designer (Dec 22)