New to Rails 3? Check out the Ruby on Rails 3 Tutorial book and screencast.

A book and screencast series showing you how to develop and deploy industrial-strength Rails apps in a direct, step by step way. The screencast series includes 12 lessons over more than 15 hours! Get the best "over the shoulder" experience of following what a top Rails 3 developer does when building an app today. Click here to learn more.

Warning: Security Hole In Rails 2.3's HTTP Digest Authentication

In News

Nate Kontny of Inkling Markets has found a nasty security hole in the code example provided in both the documentation and blog post for the Digest Authentication functionality in Rails 2.3. If you've built your routine in a similar way to that as shown in the Rails documentation or blog post, you might be open to security issues.

Here's the code example in question:

class PostsController < ApplicationController
  Users = {"dhh" => "secret"}
  before_filter :authenticate
  def index
    render :text => "You needed a password to see this…"
  def authenticate
    realm = "Application"
    authenticate_or_request_with_http_digest(realm) do |name|

Notice that authenticate uses the Users hash to authenticate the HTTP Digest Auth request? When you call hashes with non-existing keys, nil is returned. Luckily, Rails' digest authentication routines consider a response of nil as an authentication failure but if the password actually supplied is blank (ending up as nil), things don't quite work out as intended since nil == nil and you get right through the authentication!

Nate has written up a ton of info about this, including a test and a patch, and it's a must-read unless you're totally confident you have this covered already.

Worryingly, Nate claims that he has had little luck in raising this vulnerability with the Rails core team:

I've attempted to contact this security list and a couple members on the core team through their individual email accounts over a week ago. I've only received one response last Thursday that someone would look into it, but the issue seemed to die there.

Now that enough time has been given for the security list to look into the problem (and hopefully not ignore it), the best practice I thought would be to tell as many people as possible about it so the fix can be applied and publicized. I felt I'd get a lot bigger audience here at Hacker news than the rails bug tracker. The bigger the audience the more people that can get their Rails 2.3 instances fixed if they are effected and avoid a problem. I was also planning on posting it there, but feel free to do it as well.

Post to Twitter Tweet This Post

Vaguely Related Posts (Usually)

4 Comment Responses to “Warning: Security Hole In Rails 2.3's HTTP Digest Authentication”

  1. #1
    Ken Collins Says:

    I'd say this code example supplied looks week to me. An index method on the User model, hate those. A block that has no password argument which does not even use it. Something in the example seems bad and what has made the security hole.

  2. #2
    Fran Says:

    Interesting warning, buy how many real-world applications have vulnerable code?

  3. #3
    Peter Cooper Says:

    I'd say digest auth isn't particularly popular versus basic, but I could be wrong. The key is that the code example was given as a kinda canonical example so a lot of people might have copy/pasted it without much regard, so it's still worth raising.

  4. #4
    Alan Brown Says:

    A quick google search for this method name against rubyforge only gets one hit

Leave a Reply