oss-sec mailing list archives
Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 05 Dec 2013 21:55:04 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/2013 10:15 AM, Christopher Dell wrote:
Hello everyone, Just to clarify I18n.enforce_available_locales quickly, when I18n initialises, it creates an array of the known locales called I18n.available_locales. Typically, this array is created by scanning for YML files (in config/locales for a Rails app). With I8n.enforce_available_locales set to true, we check that the locale we're trying to use (eg. translate or localize) is included in the available_locales. This means we're certain it can't be malicious user submitted data even outside of the scope of a Rails app. I could really use a hand with the CVE announcements, I literally have no idea about any of this! Cheers, -- Chris PS. Including Sven's correct email address.
Thanks. Contact me offlist, I can walk you through it. In general I'll be documenting this, it's not something that is documented at all in an actually useful fashion (there's 800 page books on doing security response which are basically useless for actually getting things done in Open Source projects =). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSoVioAAoJEBYNRVNeJnmT5h8P/iyJNz0qETb4gdedis9HMSc8 vmQpEFnw2r7rwUpapDZjr9Y9pJSlQh61zTFR6HHrwHlFLdD6O9Jc2l+MkTF6RYy5 LhJD6e5OaTNSNGAFZgGv4GNUAwGYQQ5PMMeeiPMmHy7lkW30TBOn22m+UvwvIMGi vLhe5PF6jXUaHH5rKVgDeLPa8F7uHXZl5VwejirbO57TW9BcpDe0v1//Ioh/KWhg DvpcoVOdzXloDWeJ2qDj4ph0pfTqFkUuMF85EY5Lc6DZLWODHqiZJs6BVd8VsywW Byt0s4oSTZL2hqZo9beYo8BlYpwUhzOTSRWi31VwyDo/pn30iXTp828Ogbtbu3i3 2vI6pAw0uj9AFERDY267D6lgbhMNu0cx8FAcMPfOwHgVdM7mBEXhjijaK7POUw8v sjzT4gYWn9TnXD/uSJJtvnEcktKrZINvA1cj2jzFAIvr0sK4LdZgxAqlo/m8W8ua K2YNYMxiglmTBdwC/gBDgITmFNeEVcb6gA0EglXQApM7KdyhK6VMO2NMjZzhSGP7 iDoqjNA/u9ykXehCB2pAWyDNDaJ4khKfnWnFy6aMMWYW5R0rbpZgKQWw/5ttXY6O HQvetRQ2OsTRRC1l2/a1lMb1vEVemaZZ0XCTg8FtPQMgB3v9ACnAA7TpAPqTC++V wZWBValU5HcnCj23X8zE =tFFx -----END PGP SIGNATURE-----
Current thread:
- [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Aaron Patterson (Dec 03)
- Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails kpolitowicz (Dec 03)
- Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Kurt Seifried (Dec 03)
- Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Christopher Dell (Dec 05)
- Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Kurt Seifried (Dec 05)
- Re: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Kurt Seifried (Dec 03)
- Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails kpolitowicz (Dec 03)
- Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails chris (Dec 05)
- Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails nick (Dec 22)
- Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails Solar Designer (Dec 22)