Spree Commerce

Try It Now

Potential XSS Security Issue in LocaleController

Posted on January 26, 2010 by Sean Schofield

We’ve just patched the edge code to address a potential security hole. The vulnerability also affects prior versions of Spree including the latest 0.9.4 release. The upcoming 1.0.0 release will contain the fix. We will not be issuing a patch release but you can easily address the problem by patching the LocaleController in your site extension as follows:

<p>class LocaleController &lt; ApplicationController</p>
def set
if params[:locale] &amp;&amp; AVAILABLE_LOCALES.include?(params[:locale])
I18n.locale = params[:locale]
session[:locale] = params[:locale]
flash[:notice] = t(&#8220;locale_changed&#8221;)
flash[:error] = t(&#8220;locale_not_changed&#8221;)

Special thanks to Alexander Kozliakov for reporting the bug and providing a fix. Please continue to report any suspected security issues to security@railsdog.com.