cgi_multipart_eof_fix

Fix an exploitable bug in CGI multipart parsing.

License

Copyright 2006, 2007 Cloudburst, LLC. Portions copyright 2006 Jeremy Kemper, Jamis Buck, Zed A. Shaw, and Yukihiro Matsumoto, and used with permission. Licensed under both the AFL 3.0 and Ruby License.

Description

Fixes an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5. When multipart boundary attributes contain non-halting regular expression strings, the boundary searcher in the CGI module does not properly escape the parameter and will execute arbitrary regular expressions. This fix adds escaping for the user data.

This is fix is cumulative with previous CGI multipart vulnerability fixes; see version 1.0.0 of the gem by Jamis Buck et. al.

Installation

sudo gem install cgi_multipart_eof_fix

Scope

  • Affected: standalone CGI, Mongrel, WEBrick

  • Unaffected: FastCGI, Ruby 1.8.6 (all servers)

  • Unknown: mod_ruby

This library will not modify versions of Ruby greater than 1.8.5.

Usage

Run the included test to verify that the patch works as intended. Then, require the gem in every affected application, as follows:

require 'rubygems' 
require 'cgi_multipart_eof_fix'

Currently Mongrel requires this gem automatically. However, Mongrel may change in the future.

Further resources