Version 1.2.0 of high_voltage is a security fix. Please upgrade.
Description
The high_voltage static page gem prior
to version 1.2.0 allows attackers to cause the Rails app to render arbitrary
files as if they are Erb. The attacker can trigger this local file inclusion (LFI) through the use of
URL-encoded Unicode characters, which bypass the Ruby
Path#cleanpath
method.
Solution
Upgrade to version 1.2.0 of high_voltage:
bundle update high_voltage
Workaround
If you cannot upgrade easily you can instead subclass
HighVoltage::PagesController to override the
current_page
method and remove invalid characters manually. More details on overriding can
be found in the high_voltage
documentation.
Acknowledgements
Thanks to Jefferson Venerando for bringing the Unicode exploit to our attention.
