Potential XSS Security Issue in LocaleController

We’ve just patched the edge code to address a potential security hole. The vulnerability also affects prior versions of Spree including the latest 0.9.4 release. The upcoming 1.0.0 release will contain the fix. We will not be issuing a patch release but you can easily address the problem by patching the LocaleController in your site extension as follows:

<p>class LocaleController < ApplicationController</p>
def set
if params[:locale] && AVAILABLE_LOCALES.include?(params[:locale])
I18n.locale = params[:locale]
session[:locale] = params[:locale]
flash[:notice] = t(“locale_changed”)
else
flash[:error] = t(“locale_not_changed”)
end
redirect_back_or_default(root_path)
end
<p>end</p>

Special thanks to Alexander Kozliakov for reporting the bug and providing a fix. Please continue to report any suspected security issues to security@railsdog.com.

blog comments powered by Disqus

This project is maintained by a core team of developers and is freely available for commercial use under the terms of the New BSD License.

Spree, Spree Commerce and the Spree logo are all trademarks of Spree Commerce, Inc.