CVE-2008-5x8x
Bookmarked!This challenge covers the review of a CVE and its patch
The Code Review Patch challenges are designed to enhance your skills in identifying and understanding vulnerabilities in code. You are provided with both the original, vulnerable code and the corresponding patch. Initially, try to find the vulnerability without referring to the patch. If you struggle to identify the issue or want to confirm your findings, you can then review the patch, which typically includes a diff file showing the changes made to fix the vulnerability.
For instance, the challenge CVE-2008-5x8x focuses on a method named redirect
in response.rb
. This method uses two parameters, to_url
and response_status
, to set the response headers. The original code lacks safeguards for the to_url
parameter, making it susceptible to response splitting attacks if an attacker injects carriage return or new line characters. The patch addresses this by using the gsub
method to remove these characters, thereby preventing the vulnerability.