

MultiXml gem has same vulnerability as Rails' CVE-2013-0156 – patch now - fowlduck
https://gist.github.com/d7f6d9f4925f413621aa

======
jrochkind1
Hmm, I'm not sure you could say it has "the same vulnerability".

It has the same vulnerability if you pass untrusted input to it, okay.

But the point of the Rails vulnerabilty is that every Rails app, by default,
was set up to accept external user input and run it through an XML parser.
Even if you didn't realize it.

If you are using MultiXml, you may or may not be passing untrusted user input
to it, depends on what you did with it.

Right?

~~~
fowlduck
It is the same vulnerability at a fundamental level (it's virtually the same
code), but it isn't exploitable out of the box in the same way Rails was, at
least not on its own. However, there is a web framework, Grape, that was
exploitable in exactly the same way that Rails was due to MultiXml's
vulnerability.

And, really, technically, it was ActiveSupport that had this vulnerability.
Even outside of Rails, had you used Hash.from_xml on untrusted user input you
would have run into exactly the same issues.

------
kanzure
Yo dawgs, the mailchimp, aws-sdk, jenkins and twilio gems use HTTParty which
uses multi_xml. You should look into this.

~~~
bradly
Quick clarification: The multi_xml gem has _not_ been updated, so there is
nothing to upgrade, correct? Just the monkey-patch fix?

~~~
kanzure
Oh hmm, I guess that's a good thing to point out. Yes, the multi_xml gem has
not been upgraded, and the listed dependencies for httparty and mailchimp
haven't changed either.

------
nelhage
I strongly recommend loading something like this in your Ruby applications:
<https://gist.github.com/4507129>

It will prevent YAML.rb from instantiating arbitrary objects, which will close
off this entire class of problems.

Obviously, if you _do_ use YAML as a serialization format for arbitrary
objects, this won't work, but odds are you aren't doing that.

~~~
bradleybuda
Unfortunately, it doesn't look like this patch works in Ruby 1.9, where YAML
is actually the Psych module. Any Psych experts know how to make this
1.9-compatible?

~~~
thibaut_barrere
It doesn't work for me either on 1.9 - anyone with an explanation?

I commented here:

<https://gist.github.com/4507129>

~~~
sferik
The patch I applied does not use YAML.tagged_classes.

------
fowlduck
Grape is also affected:

[https://groups.google.com/forum/?fromgroups=#!topic/ruby-
gra...](https://groups.google.com/forum/?fromgroups=#!topic/ruby-
grape/qX38Iy1Bwo8)

------
fowlduck
A version of multi_xml with this fix has been pushed:

<https://rubygems.org/gems/multi_xml/versions/0.5.2>

------
jfirebaugh
I'm keeping track of a list of vulnerable gems here:
<https://gist.github.com/4532291>

