Closed jeltz closed 8 years ago
Rack::Utils.secure_compare
was added in Rack 1.6.0, should I add an own implementation of secure_compare for old Rack versions, or is it ok to depend on 1.6.0?
Sorry, I'm only just catching up on this issue. My guess is that we have to stay backwards-compatible with older versions of rack.
@zzak Thoughts?
@kytrinyx Good question, maybe we should provide our own shim for this method (if possible).
Yeah, that might be the way to go.
I have updated the pull request with the method copied from Rack::Utils so it will work with older versions of Rack too. Does this solution seem ok?
@jeltz The next release of rack-protection will only target Rack 2.0+ so we don't need to worry about the shim.
I've merged d8068e872b0f19ef9de25265552cb1b835270901, thank you!!
I have assigned CVE-2018-1000119 for this issue.
@kseifriedredhat The fix was picked into 1.5.5 as well: https://github.com/sinatra/rack-protection/commit/06f1b5d1bb00d81ebbad25414fb74f5bb9397c2f.
https://nvd.nist.gov/vuln/detail/CVE-2018-1000119 doesn't reflect that.
Who should be notified to update nvd.nist.gov/vuln/detail/CVE-2018-1000119 ?
NVD pulls from MITRE's CVE Database (e.g. https://cve.mitre.org / https://github.com/cveproject/cvelist/) so it's up to NVD to notice and process this. You are free to contact the NVD and ask them to hurry up.
Ah, then I guess this needs fixing: https://github.com/CVEProject/cvelist/blob/master/2018/1000xxx/CVE-2018-1000119.json
I looked around a bit, but I don't exactly know yet how the version_data
section works yet. Will look into this later.
I already updated it.
Thanks! I guess the change hasn't propagated to GitHub yet as it is still notifying me about this vulnerability. I'll just wait for that to happen.
CVE processes the data, NVD then pulls and processes the data (this is opaque to me) and then GitHUB pulls and processes the data (this is opaque to me) so it can definitely take a while.
Ah, that certainly explains the delay. Thanks for the info!
Since string comparisions may return early we want to use a constant time comparsion function to protect the CSRF token against timing attacks. Rack::Utils provides a such function.