Sorry I was a little grumpy last night, probably since I created the security issue in the first place.<br><br>Not sure if I missed something like this but it would have helped me get on top of it sooner if there was an email simply stating that there was a security fix in the main branch. Getting the email with the steps to reproduce made it feel much more urgent to me.<br>
<br>This kinda hand holding is probably more important to me since I am maintaining Facebook sites and not as active in development currently. So I am not watching what is going on in the branch.<br><br><br>What I should have said was, Thanks for finding this and fixing it. Sorry about that.<br>
<br>Dave<br><br>
<br><div><span class="gmail_quote">On 2/25/09, <b class="gmail_sendername">Mike Mangino</b> <<a href="mailto:mmangino@elevatedrails.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mmangino@elevatedrails.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>How would you recommend this be handled? Vincent reported the issue privately last week and waited to publicly report it until a fix was in the main branch. It was my call to report it publicly now. Is there some way we can do this better?<div>
<br></div><div>Mike</div><div><div><span><br><div><div>On Feb 25, 2009, at 12:31 AM, David Clements wrote:</div><br><blockquote type="cite">I forked the repo and fixed this issue without removing the functionality.<br>
<br>I sent a pull request from <br><br><a href="http://github.com/digidigo/facebooker/tree/master" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://github.com/digidigo/facebooker/tree/master</a><br>
<br>In the future I would appreciate a little more discretion around security issues. Publicizing it in this way required me to fix it immediately on my production environment rather than being able to wait for morning.<br>
<br>Dave<br><br><div><span class="gmail_quote">On 2/24/09, <b class="gmail_sendername">David Clements</b> <<a href="mailto:digidigo@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">digidigo@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Does this change simply remove support for multiple adapters?<br><br>Dave<br><br><br><br><div class="gmail_quote"><div><span>On Tue, Feb 24, 2009 at 6:06 PM, vincent chu <span dir="ltr"><<a href="mailto:vincentchu@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">vincentchu@gmail.com</a>></span> wrote:<br>
</span></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><span>Hi all ---<br><br>In the course of developing our Facebook connect app, we realized that there was a security hole in Facebooker that allows any malicious user to change the state of the Facebooker module and crash any controller/view that uses Facebooker to capture a Facebook session. For Facebook connect apps, this could potentially be in any view that uses the "set_facebook_session" before_filter.<br>
<br>All the malicious user has to do is send a malformed HTTP request similar to:<br><br><a href="http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned</a><br>
<br>The problem comes in the 'set_adapter' method of 'facebooker/lib/facebooker/rails/controller.rb' where Facebooker will attempt to load an adapter from the params hash if fb_sig_api_key is in the request (ignoring the configuration found in the facebooker.yml file). In this case, Facebooker would dutifully set the api_key to "you_are_pwned" and any subsequent call to Facebooker would try and use "you_are_pwned" as the api_key, causing it to crash the site. <br>
<br>Kevin Lochner's already pushed an update to github, so update to the latest commit:<br><br>6a954874369354324d87b2fe09c24db4bd485faf<br><a href="http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf</a><br clear="all">
<br>Cheers,<br><br>Vince<br><br>----<br>Vincent Chu<br>Department of Applied Physics<br>Geballe Laboratory of Advanced Materials<br>McCullough Bldg. 318<br>476 Lomita Mall<br>Stanford, CA, 94305<br><br>Consider this:<br>
"The smallest positive integer not definable in under eleven words."<br> <br></span></div>_______________________________________________<br> Facebooker-talk mailing list<br> <a href="mailto:Facebooker-talk@rubyforge.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Facebooker-talk@rubyforge.org</a><br>
<a href="http://rubyforge.org/mailman/listinfo/facebooker-talk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://rubyforge.org/mailman/listinfo/facebooker-talk</a><br> <br></blockquote></div>
<br> </blockquote></div><br> _______________________________________________<br>Facebooker-talk mailing list<br><a href="mailto:Facebooker-talk@rubyforge.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Facebooker-talk@rubyforge.org</a><br>
<a href="http://rubyforge.org/mailman/listinfo/facebooker-talk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://rubyforge.org/mailman/listinfo/facebooker-talk</a><br></blockquote></div><br></span></div>
<span><div> <span style="border-collapse: separate; border-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><div>
<div>--</div><div>Mike Mangino</div><div><a href="http://www.elevatedrails.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.elevatedrails.com</a></div><div><br></div></div><br></span> </div>
<br></span></div></div></blockquote></div><br>