Applying the Rails XSS vulnerability patch

04 Sep 2009

I'm probably making this harder than it should be... but if so, the Internet will correct me :-)

Anyhow, I wanted to apply the Rails XSS vulnerability patch on a machine that was running Rails 2.3.2. The gems weren't frozen to the app, though, they were just out there in /usr/local/lib/ruby/gems/1.8/gems/.

I moved over to the gems directory and tried to apply the patch, but I got the "which file do you want to apply the patch to" message. It makes sense; the patch wants to make the change to (for example) activesupport/lib/active_support/multibyte.rb and all the gem directories have the version numbers attached - e.g., activesupport-2.3.2. I was getting ready to kind of pick the patch apart but then thought "hold on, symlinks!" So I did this:

$ cd /usr/local/lib/ruby/gems/1.8/gems/
$ sudo ln -s activesupport-2.3.2 activesupport
$ sudo ln -s actionpack-2.3.2 actionpack
$ sudo patch -p1 < /home/tom/2-3-CVE-2009-3009.patch
patching file activesupport/lib/active_support/multibyte.rb
patching file activesupport/lib/active_support/multibyte/chars.rb
Hunk #2 succeeded at 283 (offset -15 lines).
Hunk #4 succeeded at 622 (offset -15 lines).
patching file activesupport/lib/active_support/multibyte/utils.rb
patching file activesupport/test/multibyte_utils_test.rb
patching file actionpack/lib/action_view/helpers/tag_helper.rb
$ sudo rm -f actionpack
$ sudo rm -f activesupport

Restart the app, and huzzah! All's well.