New to Rails 3? Check out the Ruby on Rails 3 Tutorial book and screencast.

A book and screencast series showing you how to develop and deploy industrial-strength Rails apps in a direct, step by step way. The screencast series includes 12 lessons over more than 15 hours! Get the best "over the shoulder" experience of following what a top Rails 3 developer does when building an app today. Click here to learn more.

Got a Rails App Accepting XML Input? You've Got A Fix To Do – Now.

In Deployment, Miscellaneous, News

The official Ruby blog announces that REXML, an XML library that comes with Ruby and is heavily used by many Ruby apps (including RAils), is vulnerable to a specific type of attack that could result in a denial of service. Core Rails developer, Michael "Koz" Koziarski has posted instructions on how to work around it.

If you're running Rails 2.1.0 or later, it's very simple. Just run:

gem install rexml-expansion-fix

And then add this to your app's environment.rb file:

require 'rexml-expansion-fix'

For users of lower versions of Rails, refer to Koz's post for further information. Bear in mind that even if you don't use Rails' XML processing features, they will most likely be automatically employed by your app when it receives XML data, so get on top of this right away.

Post to Twitter Tweet This Post

Vaguely Related Posts (Usually)

5 Comment Responses to “Got a Rails App Accepting XML Input? You've Got A Fix To Do – Now.”

  1. #1
    Jonathan George Says:

    Can we please stop releasing these on Saturday mornings?

  2. #2
    Christoph Olszowka Says:

    The fix works for 2.0+ by simply placing the fix file ( http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb ) in config/initializers, no need for gems or require calls at all (see Steve Madsen's comment in the offical RoR blog).

    On a Linux shell, you could simply type "wget http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb -O ./config/initializers/rexml-expansion-fix.rb" in Rails Root

  3. #3
    postmodern Says:

    Perhaps it's time to start moving to libxml-ruby?

  4. #4
    Glenn Says:

    Personally I'd rather know about them sooner than later, keep up the Saturday posts if that is when they come in.

  5. #5
    Thomas Eng Says:

    libxml-ruby is superior. There should be an option to use it, if it is available on your platform of choice.

Leave a Reply