Ruby China

Rails ActionView 的組件有安全問題,請趕快更新 rails-html-sanitizer,並確定是否已經是 1.0.4 或以上

Aiken00 · March 22, 2018 · Last by rails_taotao replied at April 25, 2018 · 4480 hits

Loofah 有 security 的問題,這個 gem 是 rails-html-sanitizer 的一部分

然而 rails-html-sanitizer 是 actionview 的一部分

所以,可以的話盡快更新最新版本吧。。。

更新後請確定你的 rails-html-sanitizer 版本是否 1.0.4

https://github.com/flavorjones/loofah/issues/144

This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team.
5 likes
Rei_mk2 #1 March 23, 2018

[CVE-2018-8048] Loofah XSS Vulnerability https://groups.google.com/forum/#!topic/rubyonrails-security/b__OeLG9bts

[CVE-2018-3741] XSS vulnerability in rails-html-sanitizer https://groups.google.com/forum/#!topic/rubyonrails-security/tP7W3kLc5u4

所有项目都应该升级。

1 likes
huacnlee #2 March 23, 2018

一堆人中标

1 likes
gihnius #3 March 23, 2018
Reply to huacnlee

ActionView 依赖的,估计都得中枪!

1 likes
huacnlee #4 March 23, 2018

已修复,并上线

1 likes
wesley6j #6 March 24, 2018

谢谢,看到后赶紧更新了自己的网站。

Aiken00 #7 March 24, 2018

既然頂置了,那我就把標題寫得清楚一點

aldrich #8 March 25, 2018

有保安问题。。。

1 likes
msg7086 #9 March 28, 2018

是不是只影响到用户输入 HTML 的情况?如果用户不输入 HTML 是不是没事?

sevk #10 March 31, 2018
Reply to msg7086

会被黑客利用

eaonll #11 April 25, 2018

@huacnlee 好腻害。这么快就修复了吗?

huacnlee #12 April 25, 2018

我没看,直接删除了,你试试再发一个,难倒我漏洞没修复?

eaonll #13 April 25, 2018
Reply to huacnlee

哈哈,我试试。这个不是 CVE 的,就是 markdown 的常规漏洞,没有过滤 javascript url schemeclick me

15 Floor has deleted
eaonll #16 April 25, 2018
Reply to huacnlee

nice!!

1 likes
rails_taotao #17 April 25, 2018
Reply to huacnlee

你好。有个技术难题一直无法解决,本人在开发环境使用 RAILS_ENV=production rails assets:precompile 进行预编译,然后通过“rsync -cvzrltogD --progress #{fetch(:local_path)}/public/assets/* #{fetch(:user)}@#{fetch(:domain)}:#{fetch(:current_path)}/public/assets/”上传到生产模式。但是生产模式无法访问这些静态文件,请问下这是什么原因。

You need to Sign in before reply, if you don't have an account, please Sign up first.