Ruby on Rails Action View 信息泄漏

ID SSV:91076
Type seebug
Reporter Root
Modified 2016-03-17T00:00:00


Possible Information Leak Vulnerability in Action View.

There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097.

Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions:,


Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

ruby def index render params[:id] end

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the workarounds immediately.


The FIXED releases are available at the normal locations.


A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.

For example, change this:

ruby def index render params[:id] end

To this:

```ruby def index render verify_template(params[:id]) end

private def verify_template(name) # add verification logic particular to your application here end ```


Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch!