Project

General

Profile

Rails XSS Vulnerability / Rails 2.3.x no longer supported

Added by Ondřej Surý over 12 years ago

Hi,

there seems to be problem with clash of:

a) Ruby on Rails security support (only for 3.x)
b) required version of RoR (only 2.3)

So, my question whether the Redmine team could provide basic security support for older rails?

Or the question maybe should be: Is redmine vulnerable to the current XSS vulnerability?


Replies (5)

RE: Rails XSS Vulnerability / Rails 2.3.x no longer supported - Added by Etienne Massip over 12 years ago

AFAIK, latest RoR 2.3.14, used by Redmine, has fixed remaining XSS vulnerabilities.

What's the current XSS vulnerability?

RE: Rails XSS Vulnerability / Rails 2.3.x no longer supported - Added by Etienne Massip over 12 years ago

This requires a little digging but I don't think that Redmine is vulnerable to these attacks.

The option tag is sometime written directly as HTML (and I think that JPL has turned this HTML code into #content_tag() calls recently for 1.4.0) but I don't think it can contain user input.

I don't remember of any use of Safebuffer#[] in RM code but I could be wrong.

    (1-5/5)