williantenfen
commented
2 years ago :+1: @cb-dyaneshwaran @cb-prajaktachavan
Closed ball-hayden closed 2 years ago
williantenfen
commented
2 years ago :+1: @cb-dyaneshwaran @cb-prajaktachavan
pedantic-git
commented
2 years ago I just hit his coming back to an old codebase. Is there any update from Chargebee on when this change will be implemented?
I think this is a real security issue because there are two places in the codebase where external data is passed directly to the CGI.escape function so I'm keen to get this patch into my dependency chain.
ball-hayden
commented
2 years ago @@cb-khushbubibay would you be able to look into this please?
ball-hayden
commented
2 years ago @pedantic-git in the mean time, you're welcome to use our fork:
gem "chargebee", github: "PlayerData/chargebee-ruby", branch: "upgrade-cgi"
cb-khushbubibay
commented
2 years ago @@cb-khushbubibay would you be able to look into this please?
Thanks for being patience. Our team is working on it and will release this ASAP.
pedantic-git
commented
2 years ago @cb-khushbubibay Thank you so much! I'm really happy to hear that.
@ball-hayden Thank you! I have my own fork but it's definitely only a temporary solution.
cb-yateshmathuria
commented
2 years ago We have released a patch version v2.11.1 to address this.
See https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/ and https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
The CGI version was pinned in https://github.com/chargebee/chargebee-ruby/commit/01297e3cdbf1f8eb85c4dd68a49056edf9607237, with no meaningful explanation of why.
All tests pass, except for https://github.com/chargebee/chargebee-ruby/issues/60 which also fails on
master.