Closed ball-hayden closed 2 years ago
:+1: @cb-dyaneshwaran @cb-prajaktachavan
I just hit his coming back to an old codebase. Is there any update from Chargebee on when this change will be implemented?
I think this is a real security issue because there are two places in the codebase where external data is passed directly to the CGI.escape
function so I'm keen to get this patch into my dependency chain.
@@cb-khushbubibay would you be able to look into this please?
@pedantic-git in the mean time, you're welcome to use our fork:
gem "chargebee", github: "PlayerData/chargebee-ruby", branch: "upgrade-cgi"
@@cb-khushbubibay would you be able to look into this please?
Thanks for being patience. Our team is working on it and will release this ASAP.
@cb-khushbubibay Thank you so much! I'm really happy to hear that.
@ball-hayden Thank you! I have my own fork but it's definitely only a temporary solution.
We have released a patch version v2.11.1 to address this.
See https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/ and https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
The CGI version was pinned in https://github.com/chargebee/chargebee-ruby/commit/01297e3cdbf1f8eb85c4dd68a49056edf9607237, with no meaningful explanation of why.
All tests pass, except for https://github.com/chargebee/chargebee-ruby/issues/60 which also fails on
master
.