{"id":3334,"date":"2013-01-28T13:03:28","date_gmt":"2013-01-28T15:03:28","guid":{"rendered":"http:\/\/blog.plataformatec.com.br\/?p=3334"},"modified":"2013-01-28T17:39:02","modified_gmt":"2013-01-28T19:39:02","slug":"security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released","status":"publish","type":"post","link":"https:\/\/blog.plataformatec.com.br\/2013\/01\/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released\/","title":{"rendered":"Security announcement: Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 released"},"content":{"rendered":"
Hi everybody.<\/p>\n
I’d like to announce that Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 have been released with a security patch. Upgrade immediately<\/strong> unless you are using PostgreSQL or SQLite3. Users of all other databases (including NoSQL ones) require immediate upgrade.<\/p>\n Using a specially crafted request, an attacker could trick the database type conversion code to return incorrect records. For some token values this could allow an attacker to bypass the proper checks and gain control of other accounts.<\/p>\n In case you are using a Devise series older than the ones listed above, recommendations are provided below back to v1.2 series. Regardless, an upgrade to more recent versions is advised.<\/p>\n We checked all Devise versions released in the previous two years and recommendations follows as below.<\/p>\n v1.5, v2.0, v2.1 and v2.2 series<\/strong><\/p>\n You can upgrade to any of v2.2.3, v2.1.3, v2.0.5 and v1.5.4. In case an upgrade is not feasible, please add the following patch to v1.4 series<\/strong><\/p>\n Please add the following patch to Please upgrade to more recent versions.<\/p>\n v1.2 and v1.3 series<\/strong><\/p>\n Not affected by this vulnerability. Please upgrade to more recent versions.<\/p>\n When upgrading to any of v2.2.3, v2.1.3, v2.0.5 and v1.5.4, some people may be relying on some wrong behaviour to filter data retrieved on authentication. For example, one may have writen in his model:<\/p>\n The code above may no longer work and needs to be rewriten as:<\/p>\n We would like to thank joernchen of Phenoelit<\/b> for disclosing this vulnerability and working with us on a patch.<\/p>\n","protected":false},"excerpt":{"rendered":" Hi everybody. I’d like to announce that Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 have been released with a security patch. Upgrade immediately unless you are using PostgreSQL or SQLite3. Users of all other databases (including NoSQL ones) require immediate upgrade. Using a specially crafted request, an attacker could trick the database type conversion code to … \u00bb<\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[36,124],"aioseo_notices":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/3334"}],"collection":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/comments?post=3334"}],"version-history":[{"count":17,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/3334\/revisions"}],"predecessor-version":[{"id":3351,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/3334\/revisions\/3351"}],"wp:attachment":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/media?parent=3334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/categories?post=3334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/tags?post=3334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Versions affected<\/h3>\n
config\/initializers\/devise_patch.rb<\/code> inside your Rails application:<\/p>\n
\nDevise::ParamFilter.class_eval do\n def param_requires_string_conversion?(_value); true; end\nend\n<\/pre>\n
config\/initializers\/devise_patch.rb<\/code> inside your Rails application:<\/p>\n
\nDevise::Models::Authenticatable::ClassMethods.class_eval do\n def auth_param_requires_string_conversion?(value); true; end\nend\n<\/pre>\n
Upgrade notice<\/h3>\n
\ndef find_for_authentication(conditions)\n conditions[:active] = true\n super\nend\n<\/pre>\n
\ndef find_for_authentication(conditions)\n find_first_by_auth_conditions(conditions, active: true)\nend\n<\/pre>\n
Thank you notes<\/h3>\n