giant robots smashing into other giant robots
Written by thoughtbot
Danger, danger: High Voltage vulnerability
Version 1.2.0 of high_voltage is a security fix. Please upgrade.
Description
The high_voltage
static page gem prior to version 1.2.0 allows attackers to cause the
Rails app to render arbitrary files as if they are Erb. The attacker
can trigger this local file
inclusion (LFI) through the use of URL-encoded Unicode
characters, which bypass the Ruby
Path#cleanpath method.
Solution
Upgrade to version 1.2.0 of high_voltage:
bundle update high_voltageWorkaround
If you cannot upgrade easily you can instead subclass
HighVoltage::PagesController to override the current_page
method and remove invalid characters manually. More details on
overriding can be
found in the high_voltage
documentation.
Acknowledgements
Thanks to Jefferson Venerando for bringing the Unicode exploit to our attention.
