On Thu, Feb 18, 2016 at 8:35 PM, Thorsten Alteholz <firstname.lastname@example.org> wrote:
> On irc you wrote:
> 15:05 < Nirkus> have some old redmine running on squeeze-lts (yeah..) and since the update yesterday the following redmine code bails out with "private method `split' called for nil:NilClass" at the following line:
> 15:06 < Nirkus> @env['QUERY_STRING'].present? ? @env['QUERY_STRING'] : (@env['REQUEST_URI'].split('?', 2) || '')
> In CVE-2015-7519 it was detected, that it is possible to obtain
> unauthorized access if you send http variables with "_" instead of "-". More information can be found here. As a solution it was proposed to simply filter out all variables containing an "_". This was already done in mod_cgi of apache and now I applied a similar patch to libapache2-mod-passenger as well.
> Unfortunately there seems to be software that relies on underscores in variable names. So if you need such variables you might want to use the workaround for apache, described in.
I am only scratching the surface of Ruby, Passenger, Rack/Rails and
Redminde, so corrections and clarifications welcome. :)
This is my interprtation of the blog entry for CVE-2015-7519:
- In order to make HTTP headers of a request available as per-request
environment variables, Passenger
* prefixes the header names with "HTTP_"
* converts those names to upper case
* converts all non-alphanumeric characters in header names to underscore ("_")
- This behavior allows attackers to pass in per-request env. variables
that look like trusted, internal headers to applications
(header names "X-User" and "X~User" both get converted to variable
Judging from my above interpretation, CVE-2015-7519 should be
mitigated by discarding all request headers with names containing
other characters than alphanumeric and hyphen ("-").
This is my current understanding of the issue with out legacy Redmine system:
- After applying the update of libapache2-mod-passenger to mitigate
CVE-2015-7519, libactionpack-ruby1.8 fails to access either of
parameters 'QUERY_STRING' and 'REQUEST_URI'
- The above-mentioned parameters are retrieved from the Rack/Rails
request environment "hash"
- The Rails/Rack requests env. "hash"[L1] gets populated based on
per-request environment variables received from Passenger
- 'QUERY_STRING' and 'REQUEST_URI' are per-request env. variables
describing the request passed on py Passenger
- Both above-mentioned parameters are not prefixed by "HTTP_" and
therefore not in scope of CVE-2015-7519
I am not sure whether REQUEST_URI and QUERY_STRING are actually passed
as per-request env. variables by Passenger or added to the env hash by
Still, this looks like a regression to me, since it removes previously
available variables, which should not be in scope of CVE-2015-7519.
>  https://security-tracker.debian.org/tracker/CVE-2015-7519
>  https://blog.phusion.nl/2015/12/07/cve-2015-7519/
>  http://mail-archives.apache.org/mod_mbox/httpd-dev/201010.mbox/<email@example.com>