New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blacklist "original_script_name" get param #1020
Blacklist "original_script_name" get param #1020
Conversation
Hi @amatsuda, given that this has security implications, would you consider a 1.2.1 release that contains this fix? Thanks! |
The changelog suggests this corresponds to Are any more details available explaining the potential impact of this? I see mention of Thanks |
Is there a workaround that will work with version 0.17.0? https://github.com/kaminari/kaminari/blob/0-17-stable/lib/kaminari/helpers/tags.rb#L1-L15 |
For those of you who are still using a version below 1.0.0, please use the following patch to mitigate the security risk: # config/initializers/kaminari.rb
module KaminariSecurityPatch
prepend_features Kaminari::Helpers::Tag
PARAM_KEY_DENIED_LIST = %w[ authenticity_token commit utf8 method script_name original_script_name ].freeze
def page_url_for(page)
params = @params
.merge(@param_name => (page <= 1 ? nil : page), only_path: true)
.except(*PARAM_KEY_DENIED_LIST)
@template.url_for(params)
end
end Edit: The script has been updated to use string keys as |
You're awesome, thanks! ❤️ |
Seems like I think I have two options to adjust your code: Change the constant:
Or symbolize the keys:
Thanks! |
@JamesChevalier Thanks for pointing that out. You are right that they are in fact string objects. We should use string keys as symbols could exhaust the GC in versions older than 2.2. I have just updated the snippet above. |
Kaminari released version 1.2.1 fixing CVE-2020-11082, where an attacker would be eable to inject arbitrary code into pages with pagination links. Proof: kaminari/kaminari#1020 https://my.diffend.io/gems/kaminari/1.2.0/1.2.1 The changes for Kaminari 1.2.1 makes the patching on the config/initializer/kaminari_config.rb not longer needed.
Kaminari released version 1.2.1 fixing CVE-2020-11082, where an attacker would be able to inject arbitrary code into pages with pagination links. Proof: kaminari/kaminari#1020 https://my.diffend.io/gems/kaminari/1.2.0/1.2.1 The changes for Kaminari 1.2.1 makes the patching on the config/initializer/kaminari_config.rb not longer needed.
I was looking over the source code, and I noticed that the get param black list was incomplete. Passing the
original_script_name
param will redirect to other domains.