Rails CSRF Security Vulnerability 19 Nov 08

Users of Rails 2.1 and 2.2 need to be aware of a vulnerability in Rails’ CSRF forgery protection.

For those that don’t know, Rails generates an authentication token within your forms and verifies this token when the form is submitted back to your application. This prevents attackers from crafting malicious requests whilst pretending to be your authenticated user.

However, for certain types of request (supposedly those that cannot be generated from a browser) this authentication token is ignored – in order to make it simpler for automated API access to your application (using JSON, XML or a few other data transport types). Unfortunately, text/plain is wrongly included as one of these types.

Luckily, the fix is simple. The long-term solution is to upgrade your application to Rails 2.1.3 or 2.2.2 (when they are released); the quick fix is even easier – tell Rails to verify text/plain requests by creating a file (called mime_type_csrf_fix.rb) in your config/initializers folder:


# temporary fix for http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
Mime::Type.unverifiable_types.delete(:text)


“uninitialized constant REXML::VERSION” with Rails 2.1.1 and Rails 2.2 10 Sep 08

We’ve found a minor problem with Rails 2.1.1 (and Rails 2.2) on our Brightboxes.

Because we use Ubuntu Dapper, which ships with Ruby 1.8.4, it includes an earlier version of the REXML library (for XML processing). As you may know, there was a recent security vulnerability to do with the REXML library and these latest two versions of Rails include a fix for this.

Unfortunately, the library that ships with 1.8.4 is slightly incorrect. Ruby conventions state that a constant should be all capitals so, quite rightly, the Rails updates check for a constant called REXML::VERSION. However, in 1.8.4, the constant is actually called REXML::Version meaning that Rails falls over with an “uninitialized constant REXML::VERSION” error.

The quick fix is to manually edit /usr/lib/ruby/1.8/rexml/rexml.rb and add a new (correctly named constant). You will need to use sudo to edit the file, as it is owned by root; after editing the file should look something like:

module REXML
        Copyright = "Copyright © 2001, 2002, 2003, 2004 Sean Russell <ser@germane-software.com>"
        Date = "2005/224"
        Version = "3.1.3"
        VERSION = "3.1.3"
end

We are also looking at our options for a permanent fix for this issue.