puma--puma/projects/cgi_multipart_eof_fix/README


cgi_multipart_eof_fix

Fix an exploitable bug in CGI multipart parsing.

== License

Copyright 2006, 2007 Cloudburst, LLC. Portions copyright 2006 Jeremy Kemper, Jamis Buck, Zed A. Shaw, and Yukihiro Matsumoto, and used with permission. See the included LICENSE file. 

== Description

Fixes an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5. When multipart boundary attributes contain non-halting regular expression strings, the boundary searcher in the CGI module does not properly escape the parameter and will execute arbitrary regular expressions. This fix adds escaping for the user data.

* Affected application servers: standalone CGI, Mongrel, WEBrick
* Unaffected: FastCGI, Ruby 1.8.6 (all servers)
* Unknown: mod_ruby

This fix will not modify versions of Ruby greater than 1.8.5, and is cumulative with previous CGI multipart vulnerability fixes.

== Usage

Install the gem:
  sudo gem install cgi_multipart_eof_fix

Run the included test to verify that the patch works as intended. Then, <tt>require</tt> the gem in every affected application, as follows:

  require 'rubygems' 
  require 'cgi_multipart_eof_fix'
  
Currently <tt>mongrel_rails</tt> requires this gem automatically. However, Mongrel may change in the future.

== Reporting problems

* http://rubyforge.org/tracker/?group_id=1306

== Further resources

* http://rubyforge.org/mailman/listinfo/mongrel-users
* http://blog.evanweaver.com/articles/2006/12/05/cgi-rb-vulnerability-hotfix
* http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
initial import of cgi_multipart_eof_fix git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@543 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-13 16:14:18 -04:00
			`cgi_multipart_eof_fix`

			`Fix an exploitable bug in CGI multipart parsing.`

			`== License`

			`Copyright 2006, 2007 Cloudburst, LLC. Portions copyright 2006 Jeremy Kemper, Jamis Buck, Zed A. Shaw, and Yukihiro Matsumoto, and used with permission. See the included LICENSE file.`

			`== Description`

			`Fixes an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5. When multipart boundary attributes contain non-halting regular expression strings, the boundary searcher in the CGI module does not properly escape the parameter and will execute arbitrary regular expressions. This fix adds escaping for the user data.`

simplify readme structure git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@576 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-22 06:38:43 -04:00			`* Affected application servers: standalone CGI, Mongrel, WEBrick`
initial import of cgi_multipart_eof_fix git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@543 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-13 16:14:18 -04:00			`* Unaffected: FastCGI, Ruby 1.8.6 (all servers)`
			`* Unknown: mod_ruby`

simplify readme structure git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@576 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-22 06:38:43 -04:00			`This fix will not modify versions of Ruby greater than 1.8.5, and is cumulative with previous CGI multipart vulnerability fixes.`
initial import of cgi_multipart_eof_fix git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@543 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-13 16:14:18 -04:00
			`== Usage`

simplify readme structure git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@576 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-22 06:38:43 -04:00			`Install the gem:`
			`sudo gem install cgi_multipart_eof_fix`

initial import of cgi_multipart_eof_fix git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@543 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-13 16:14:18 -04:00			`Run the included test to verify that the patch works as intended. Then, <tt>require</tt> the gem in every affected application, as follows:`

			`require 'rubygems'`
			`require 'cgi_multipart_eof_fix'`

actually, mongrel_rails does the require git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@547 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-13 18:25:22 -04:00			`Currently <tt>mongrel_rails</tt> requires this gem automatically. However, Mongrel may change in the future.`
initial import of cgi_multipart_eof_fix git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@543 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-13 16:14:18 -04:00
make tracker url more prominent git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@575 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-22 06:33:37 -04:00			`== Reporting problems`

			`* http://rubyforge.org/tracker/?group_id=1306`

initial import of cgi_multipart_eof_fix git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@543 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-13 16:14:18 -04:00			`== Further resources`

changelog git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@546 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-13 17:56:45 -04:00			`* http://rubyforge.org/mailman/listinfo/mongrel-users`
update doc links git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@571 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-19 15:27:29 -04:00			`* http://blog.evanweaver.com/articles/2006/12/05/cgi-rb-vulnerability-hotfix`
initial import of cgi_multipart_eof_fix git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@543 19e92222-5c0b-0410-8929-a290d50e31e9 2007-08-13 16:14:18 -04:00			`* http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/`