Potential XSS Security Issue in LocaleController

Posted January 26, 2010 by railsdog | Comments

We’ve just patched the edge code to address a potential security hole. The vulnerability also affects prior versions of Spree including the latest 0.9.4 release. The upcoming 1.0.0 release will contain the fix. We will not be issuing a patch release but you can easily address the problem by patching the LocaleController in your site extension as follows:


class LocaleController < ApplicationController

  def set
    if params[:locale] && AVAILABLE_LOCALES.include?(params[:locale])
      I18n.locale = params[:locale]
      session[:locale] = params[:locale]
      flash[:notice] = t("locale_changed")
    else
      flash[:error] = t("locale_not_changed")
    end
    redirect_back_or_default(root_path)
  end

end

Special thanks to Alexander Kozliakov for reporting the bug and providing a fix. Please continue to report any suspected security issues to security@railsdog.com.

,

blog comments powered by Disqus
 Subscribe via RSS

Archives

About Spree Commerce

Spree Commerce is an open source e-commerce solution created by Sean Schofield. Spree is supported by the open source community as well as the sale of our commercial products.

Take it for a test drive

You can even create your own personal store.

Try the demo

This project is maintained by a core team of developers and is freely available for commercial use under the terms of the New BSD License.

Spree, Spree Commerce and the Spree logo are all trademarks of Spree Commerce, Inc.