---
gem: actionview
framework: rails
cve: 2016-2097
date: 2016-02-29
url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"

title: Possible Information Leak Vulnerability in Action View

description: |

  There is a possible directory traversal and information leak vulnerability 
  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 
  patch was not covering all the scenarios. This vulnerability has been 
  assigned the CVE identifier CVE-2016-2097.

  Versions Affected:  3.2.x, 4.0.x, 4.1.x
  Not affected:       4.2+
  Fixed Versions:     3.2.22.2, 4.1.14.2

  Impact 
  ------ 
  Applications that pass unverified user input to the `render` method in a
  controller may be vulnerable to an information leak vulnerability.

  Impacted code will look something like this:

  ```ruby
  def index
    render params[:id]
  end
  ```

  Carefully crafted requests can cause the above code to render files from
  unexpected places like outside the application's view directory, and can
  possibly escalate this to a remote code execution attack.

  All users running an affected release should either upgrade or use one of the
  workarounds immediately.

  Releases 
  -------- 
  The FIXED releases are available at the normal locations. 

  Workarounds 
  ----------- 
  A workaround to this issue is to not pass arbitrary user input to the `render`
  method. Instead, verify that data before passing it to the `render` method.

  For example, change this:

  ```ruby
  def index
    render params[:id]
  end
  ```

  To this:

  ```ruby
  def index
    render verify_template(params[:id])
  end

  private
  def verify_template(name)
    # add verification logic particular to your application here
  end
  ```

  Patches 
  ------- 
  To aid users who aren't able to upgrade immediately we have provided patches 
  for it. It is in git-am format and consist of a single changeset.

  * 3-2-render_data_leak_2.patch - Patch for 3.2 series
  * 4-1-render_data_leak_2.patch - Patch for 4.1 series

  Credits 
  ------- 
  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this 
  and working with us in the patch!

unaffected_versions:
  - ">= 4.2.0"

# "~> 3.2.22.2"  is found in gems/actionpack/CVE-2016-2097.yml
patched_versions:
  - "~> 4.1.14, >= 4.1.14.2"