Comments:"Security announcement: Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 released | Plataformatec Blog"
Hi everybody.
I’d like to announce that Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 have been released with a security patch. Upgrade immediately unless you are using PostgreSQL or SQLite3. Users of all other databases (including NoSQL ones) require immediate upgrade.
Using a specially crafted request, an attacker could trick the database type conversion code to return incorrect records. For some token values this could allow an attacker to bypass the proper checks and gain control of other accounts.
In case you are using a Devise series older than the ones listed above, recommendations are provided below back to v1.2 series. Regardless, an upgrade to more recent versions is advised.
Versions affected
We checked all Devise versions released in the previous two years and recommendations follows as below.
v1.5, v2.0, v2.1 and v2.2 series
You can upgrade to any of v2.2.3, v2.1.3, v2.0.5 and v1.5.4. In case an upgrade is not feasible, please add the following patch to config/initializers/devise_patch.rb inside your Rails application:
Devise::ParamFilter.class_evaldodef param_requires_string_conversion?(_value); true; endend |
v1.4 series
Please add the following patch to config/initializers/devise_patch.rb inside your Rails application:
Devise::Models::Authenticatable::ClassMethods.class_evaldodef auth_param_requires_string_conversion?(value); true; endend |
Please upgrade to more recent versions.
v1.2 and v1.3 series
Not affected by this vulnerability. Please upgrade to more recent versions.
Upgrade notice
When upgrading to any of v2.2.3, v2.1.3, v2.0.5 and v1.5.4, some people may be relying on some wrong behaviour to filter data retrieved on authentication. For example, one may have writen in his model:
def find_for_authentication(conditions) conditions[:active] = truesuperend |
The code above may no longer work and needs to be rewriten as:
def find_for_authentication(conditions) find_first_by_auth_conditions(conditions, active: true)end |
Thank you notes
We would like to thank joernchen of Phenoelit for disclosing this vulnerability and working with us on a patch.
Tags: devise, security fix
This entry was posted on Monday, January 28th, 2013 at 1:03 pm and is filed under English. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.