Package: ruby-rest-client / 1.6.7-6

Metadata

Package Version Patches format
ruby-rest-client 1.6.7-6 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001_fix set cookie CVE 2015 1820.patch | (download)

lib/restclient/abstract_response.rb | 57 43 + 14 - 0 !
lib/restclient/raw_response.rb | 5 3 + 2 - 0 !
lib/restclient/request.rb | 4 2 + 2 - 0 !
lib/restclient/response.rb | 7 2 + 5 - 0 !
4 files changed, 50 insertions(+), 23 deletions(-)

 cve-2015-1820: rest-client passes values from set-cookie headers to arbitrary redirection target
 When Ruby rest-client processes an HTTP redirection response, it blindly passes
 along the values from any Set-Cookie headers to the redirection target,
 regardless of domain, path, or expiration.
 .
 This is very similar to CVE-2015-2296, which affected python-requests.
 http://www.openwall.com/lists/oss-security/2015/03/14/4
 .
 The issue could be similarly exploited in the following ways:
 .
 * If you are the redirection source (i.e. you can make rest-client hit your
   URL), you can make rest-client perform a request to any third-party domain with
   cookies of your choosing. This may be useful in performing a session fixation
   attack.
 * If you are the redirection target (i.e. you can make a third-party
   site redirect to your URL), you can steal any cookies set by the third-party
   redirection.
 .