{"id":3334,"date":"2013-01-28T13:03:28","date_gmt":"2013-01-28T15:03:28","guid":{"rendered":"http:\/\/blog.plataformatec.com.br\/?p=3334"},"modified":"2013-01-28T17:39:02","modified_gmt":"2013-01-28T19:39:02","slug":"security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released","status":"publish","type":"post","link":"https:\/\/blog.plataformatec.com.br\/2013\/01\/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released\/","title":{"rendered":"Security announcement: Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 released"},"content":{"rendered":"<p>Hi everybody.<\/p>\n<p>I&#8217;d like to announce that Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 have been released with a security patch. <strong>Upgrade immediately<\/strong> unless you are using PostgreSQL or SQLite3. Users of all other databases (including NoSQL ones) require immediate upgrade.<\/p>\n<p>Using a specially crafted request, an attacker could trick the database type conversion code to return incorrect records. For some token values this could allow an attacker to bypass the proper checks and gain control of other accounts.<\/p>\n<p>In case you are using a Devise series older than the ones listed above, recommendations are provided below back to v1.2 series. Regardless, an upgrade to more recent versions is advised.<\/p>\n<h3>Versions affected<\/h3>\n<p>We checked all Devise versions released in the previous two years and recommendations follows as below.<\/p>\n<p><strong>v1.5, v2.0, v2.1 and v2.2 series<\/strong><\/p>\n<p>You can upgrade to any of v2.2.3, v2.1.3, v2.0.5 and v1.5.4. In case an upgrade is not feasible, please add the following patch to <code>config\/initializers\/devise_patch.rb<\/code> inside your Rails application:<\/p>\n<pre lang=\"ruby\">\nDevise::ParamFilter.class_eval do\n  def param_requires_string_conversion?(_value); true; end\nend\n<\/pre>\n<p><strong>v1.4 series<\/strong><\/p>\n<p>Please add the following patch to <code>config\/initializers\/devise_patch.rb<\/code> inside your Rails application:<\/p>\n<pre lang=\"ruby\">\nDevise::Models::Authenticatable::ClassMethods.class_eval do\n  def auth_param_requires_string_conversion?(value); true; end\nend\n<\/pre>\n<p>Please upgrade to more recent versions.<\/p>\n<p><strong>v1.2 and v1.3 series<\/strong><\/p>\n<p>Not affected by this vulnerability. Please upgrade to more recent versions.<\/p>\n<h3>Upgrade notice<\/h3>\n<p>When upgrading to any of v2.2.3, v2.1.3, v2.0.5 and v1.5.4, some people may be relying on some wrong behaviour to filter data retrieved on authentication. For example, one may have writen in his model:<\/p>\n<pre lang=\"ruby\">\ndef find_for_authentication(conditions)\n  conditions[:active] = true\n  super\nend\n<\/pre>\n<p>The code above may no longer work and needs to be rewriten as:<\/p>\n<pre lang=\"ruby\">\ndef find_for_authentication(conditions)\n  find_first_by_auth_conditions(conditions, active: true)\nend\n<\/pre>\n<h3>Thank you notes<\/h3>\n<p>We would like to thank <b>joernchen of Phenoelit<\/b> for disclosing this vulnerability and working with us on a patch.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi everybody. I&#8217;d like to announce that Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 have been released with a security patch. Upgrade immediately unless you are using PostgreSQL or SQLite3. Users of all other databases (including NoSQL ones) require immediate upgrade. Using a specially crafted request, an attacker could trick the database type conversion code to &#8230; <a class=\"read-more-link\" href=\"https:\/\/blog.plataformatec.com.br\/2013\/01\/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released\/\">\u00bb<\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[36,124],"aioseo_notices":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/3334"}],"collection":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/comments?post=3334"}],"version-history":[{"count":17,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/3334\/revisions"}],"predecessor-version":[{"id":3351,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/3334\/revisions\/3351"}],"wp:attachment":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/media?parent=3334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/categories?post=3334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/tags?post=3334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}