Ruby China
Access denied, Please sign in and make sure you have proper permission.

Rails [CVE-2019-5418] Rails 路径穿越 任意文件读取

zj0713001 · March 18, 2019 · Last by jicheng1014 replied at March 20, 2019 · 2862 hits
Versions Affected: All.
Not affected: None.
Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

详情:https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

修复已经发布,请各位同学尽快升级吧。。。

12 likes
Rei #0 March 19, 2019

关注度太低,置顶几天。

zj0713001 #1 March 19, 2019
Reply to Rei

感谢 可能是大家都没用到未指定参数的 render file 吧,可能看了看对自己没影响就不关注了

southwolf #2 March 20, 2019

查了一下,我司代码里(万幸)只有一个地方用到了不指定格式的 render file

如果真的暴露了还是很危险的 一键获取任意文件

另一个帖子 漏洞分析

jicheng1014 #3 March 20, 2019

只有一个废弃的项目用了 render file

huacnlee in [Topic was deleted] mention this topic. 21 Mar 14:07
You need to Sign in before reply, if you don't have an account, please Sign up first.