Got a Rails App Accepting XML Input? You've Got A Fix To Do - Now.
The official Ruby blog announces that REXML, an XML library that comes with Ruby and is heavily used by many Ruby apps (including RAils), is vulnerable to a specific type of attack that could result in a denial of service. Core Rails developer, Michael "Koz" Koziarski has posted instructions on how to work around it.
If you're running Rails 2.1.0 or later, it's very simple. Just run:
gem install rexml-expansion-fix
And then add this to your app's environment.rb file:
require 'rexml-expansion-fix'
For users of lower versions of Rails, refer to Koz's post for further information. Bear in mind that even if you don't use Rails' XML processing features, they will most likely be automatically employed by your app when it receives XML data, so get on top of this right away.
August 24th, 2008 at 12:14 am
Can we please stop releasing these on Saturday mornings?
August 24th, 2008 at 1:23 pm
The fix works for 2.0+ by simply placing the fix file ( http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb ) in config/initializers, no need for gems or require calls at all (see Steve Madsen's comment in the offical RoR blog).
On a Linux shell, you could simply type "wget http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb -O ./config/initializers/rexml-expansion-fix.rb" in Rails Root
August 25th, 2008 at 8:13 pm
Perhaps it's time to start moving to libxml-ruby?
August 26th, 2008 at 8:21 am
Personally I'd rather know about them sooner than later, keep up the Saturday posts if that is when they come in.
October 29th, 2008 at 8:44 am
libxml-ruby is superior. There should be an option to use it, if it is available on your platform of choice.