New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Patch for CVE-2020-11082 for kaminari v0.17.0 #1036
Comments
utkarsh2102
changed the title
Patch for CVE-2020-11082
Patch for CVE-2020-11082 for kaminari v0.17.0
Oct 1, 2020
I'm not aware of a library-level patch, only the patch at the app level. I ended up with: module KaminariSecurityPatch
prepend_features Kaminari::Helpers::Tag
PARAM_KEY_DENIED_LIST = ["authenticity_token", "commit", "utf8", "method", "script_name", "original_script_name"].freeze
def page_url_for(page)
params = @params.merge(@param_name => (page <= 1 ? nil : page), only_path: true).except(*PARAM_KEY_DENIED_LIST)
@template.url_for(params)
end
end |
Ah, thanks @JamesChevalier! ❤️ |
I think you need to check if it is OK to remove the page parameter from the kaminari configuration. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @yuki24,
I am sorry for raising this up but wanted a bit more clarity on the patch for CVE-2020-11082.
We have a Debian package of
kaminari
and in oldstable (Stretch) release, the version ofkaminari
isv0.17.0
.Since the patch for CVE-2020-11082 cannot be backported to this version, the patch that you mentioned at #1020 (comment) should be used to mitigate the risk, how?
By creating a
config/initializers/kaminari.rb
in our Rails app, right? But how to patch this library itself forv0.17.0
?Am I missing something?
CC: @JamesChevalier (hoping you'd know as well!)
The text was updated successfully, but these errors were encountered: