Spree Commerce

Try It Now

Archive for April, 2011

Spree 0.50.2 Released

Posted on April 25, 2011 by Sean Schofield

Spree 0.50.2 has just been released. Its a minor patch release to address a performance issue with a previous version of Rails.

You can also use the Github compare tool to see a complete list of changes for the 0.50.2 release.

Spree 0.50.1 Released

Posted on April 19, 2011 by Sean Schofield

Spree 0.50.1 has just been released. Its a minor patch release to address a handful of small issues. It also contains an important security fix (see the recent security announcement for more details.)

You can also use the Github compare tool to see a complete list of changes for the 0.50.1 release.

Security Vulnerabilties - Content Controller & Search Logic

Posted on April 19, 2011 by John Dyer and Sean Schofield

The Spree team was recently alerted to two potential security vulnerabilities.

The first potential exploit, reported by John Hartzler, would allow a user to request a specially crafted URL and expose arbitrary files on the server. All prior versions of Spree are affected by this issue but it has since been patched in the edge code as well as the brand new Spree 0.50.1 release.

If you are not able to upgrade immediately there is a simple “hot fix” you can code into your site which should work with all prior versions of Spree. You need to create a file named `config/initializers/security_hotfix.rb` in your application and make sure it contains the following code:

config/initializers/security_hotfix.rb
ContentController.class_eval do<br />
  def show<br />
    render :template =&gt; params[:path]<br />
  end<br />
end

The second issue, reported by joernchen of Phenoelit, is a bug in the
rd_searchlogic gem which
would allow malacious users to execute arbitrary remote commands. The
rd_searchlogic gem was forked from the original searchlogic since the original still does not support Rails 3. The forked gem is the most vulnerable but the original searchlogic gem also contains a variation of this exploit.

This affects both the 0.30.x and the 0.40.x versions of Spree. Upgrading
your installation of Spree to 0.50.x is an easy solution to this problem (since we no longer use searchlogic.) If you are unable to upgrade at this time and are not using the search functionality provided by the REST API, then you can drop the following code into a new file titled `config/initializers/searchlogic_hotfix.rb`:

config/initializers/searchlogic_hotfix.rb
Api::BaseController.class_eval do<br />
  protected<br />
<br />
  def search<br />
    return nil<br />
  end<br />
end

Both of these fixes will require a restart of your production server to take effect.