Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
homakov
on May 6, 2014
|
parent
|
context
|
favorite
| on:
Rails Directory Traversal Vulnerability (CVE-2014-...
So rare that I'm not sure why this got any attention. There are more interesting bugs to look at, which i
do
see in the wild a lot (e.g. redirect_to params[:return_url])
epochwolf
on May 6, 2014
[–]
If anyone is interested, I've got a set of helper functions for redirects.
https://github.com/epochwolf/litsocial/blob/master/app/lib/c...
homakov
on May 6, 2014
|
parent
[–]
Redirects are hard to get right. Bypass 1 - //host.com. Even if you will use URI library Bypass 2 - ///host.com
epochwolf
on May 7, 2014
|
root
|
parent
[–]
Good point, I'll need to modify the redirect to disallow multiple slashes at the beginning.
That should be something like /\A(http(s?):\/\/#{request.host_with_port}|\/\Z|\/[^\/])/
homakov
on May 8, 2014
|
root
|
parent
[–]
/\host.com
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
