Rails [CVE-2019-5418] Rails 路径穿越任意文件读取

zj0713001 · March 18, 2019 · Last by jicheng1014 replied at March 20, 2019 · 2849 hits

修复已经发布，请各位同学尽快升级吧。。。

12 likes

Rei #1 March 19, 2019

关注度太低，置顶几天。

zj0713001 #2 March 19, 2019

Reply to

感谢可能是大家都没用到未指定参数的 render file 吧，可能看了看对自己没影响就不关注了

southwolf #3 March 20, 2019

查了一下，我司代码里（万幸）只有一个地方用到了不指定格式的 render file

如果真的暴露了还是很危险的一键获取任意文件

另一个帖子漏洞分析

jicheng1014 #4 March 20, 2019

只有一个废弃的项目用了 render file

huacnlee in [Topic was deleted] mention this topic. 21 Mar 14:07

You need to Sign in before reply, if you don't have an account, please Sign up first.

Rails [CVE-2019-5418] Rails 路径穿越 任意文件读取