Is Redmine affected by Rails issue https://github.com/rails/rails/issues/5228

Added by Marc Richter over 5 years ago

Yesterday , Egor Homakov proved a serious Rails issue by demo-attacking Github, as you might have noticed. It's a big thin in the News.

How is Redmine affected by this issue? Is there anything a user running Redmine has to mind or take care of?

https://github.com/rails/rails/issues/5228

Replies (5)

RE: Is Redmine affected by Rails issue https://github.com/rails/rails/issues/5228 - Added by John Yani over 1018 years ago

Etienne Massip wrote:

I said that it was possible, but after a quick tour I was not able to find a place where permission handling or controller code would allow such a security bypass.

I found long years ago.

RE: Is Redmine affected by Rails issue https://github.com/rails/rails/issues/5228 - Added by Etienne Massip over 5 years ago

From what I've read, it's not a Rails issue, just bad coding.

Already evoked here in mass assignment vulnerability in Redmine.

That said, it is indeed possible that RM is doing mass assignment in some places.

RE: Is Redmine affected by Rails issue https://github.com/rails/rails/issues/5228 - Added by Marc Richter over 5 years ago

Urgs :( Ugly one ...

Anybody knows a best-behavior suggestion for end-users ?

RE: Is Redmine affected by Rails issue https://github.com/rails/rails/issues/5228 - Added by Etienne Massip over 5 years ago

I said that it was possible, but after a quick tour I was not able to find a place where permission handling or controller code would allow such a security bypass.

(1-5/5)