Want to stay on top? Ruby Weekly is a once-weekly e-mail newsletter covering the latest Ruby and Rails news.
     Feed Icon

RubyGem Hotfix for cgi.rb Vulnerabilities Released

By Peter Cooper / December 6, 2006

Evan Weaver has leaped to the rescue with a hotfix (installable as a gem) for the cgi.rb DoS vulnerabilities. This hotfix is ideal for those who don't want to install Ruby or patch again. Evan's site has been having some DNS issues (related to the EveryDNS outages) so I hope he doesn't mind me repeating part of his post here:

I’ve constructed a hotfix for the cgi.rb vulnerability of yesterday. First, make sure you have the Hoe gem installed. Then:

sudo gem install cgi_multipart_eof_fix --source blog.evanweaver.com

Run the included test to verify the flaw is corrected. To apply the fix, you must require the gem in every affected application, as follows:

require 'rubygems'
require 'cgi_multipart_eof_fix'

If you only use mongrel_rails for application hosting, you may install mongrel like so:

sudo gem install mongrel --source=http://mongrel.rubyforge.org/releases

Then mongrel will require the fix for you, provided you have installed version 2.0.0 of this gem. This is a hack, and mongrel may change in the future.

There's a little more on his page, but this covers the important parts if you can't access it.

Other Posts to Enjoy

Twitter Mentions