Clearance 0.16.3 fixes a password reset vulnerability

time to update your clearance gem if you haven't applied the latest rails update. #rails #security

June 1, 2012 Tagged: clearance security sql injection nil Comments (View) Clearance 0.16.3 fixes a password reset vulnerability The new release of Clearance works around the latest Rails SQL injection . Upgrade to Clearance 0.16.3 for the security fix. gem 'clearance', '~> 0.16.3' Background In Clearance we generate a confirmation_token when you forget your password, and clear it when you successfully reset your password. In the controller we find the user like this: @user = User.find_by_id_and_confirmation_token(params[:user_id], params[:token]) This approximately translates to this ARel query: User.where(:id => params[:user_id], :confirmation_token => params[:token]) Normally this generates perfectly safe SQL: SELECT users.* FROM users WHERE users.id = 1 AND users.confirmation_token = 'hello' LIMIT 1 Exploit If params[:token] is a list with one nil element, the generated...

Full article: http://robots.thoughtbot.com/post/24197949040/clearance-0...