There is a vulnerability in the escaping code for the form helpers in
Ruby on Rails. Attackers who can inject deliberately malformed unicode
strings into the form helpers can defeat the escaping checks and inject
arbitrary HTML.

Versions Affected:  2.0.0 and *all* subsequent versions.
Not affected:       Applications running on ruby 1.9
Fixed Versions:     2.3.4, 2.2.3
Candidate CVE:      CVE-2009-3009

Impact

Due to the way that most databases either don’t accept or actively
cleanse malformed unicode strings this vulnerability is most likely to
be exploited by non-persistent attacks however persistent attacks may
still be possible in some configurations.

All users of affected versions are advised to upgrade to a fixed versions.

Releases

The 2.3.4 and 2.2.3 releases will be made available shortly and contain fixes for this issue.

Patches

In order to provide the fixes for users who are running unsupported
releases, or are unable to upgrade at present we have provided patches
against all affected stable release branches.

The patches are in a format suitable for git-am and consist of two
changesets. The code for cleansing multi-byte strings, and the
introduction of that code to the relevant helpers.

• 2-0-CVE-2009-3009.patch – Patch for 2.0 series
• 2-1-CVE-2009-3009.patch – Patch for 2.1 series
• 2-2-CVE-2009-3009.patch – Patch for 2.2 series
• 2-3-CVE-2009-3009.patch – Patch for 2.3 series

Please note that only the 2.2.x and 2.3.x series are supported at
present. Users of earlier unsupported releases are advised to upgrade
sooner rather than later as we cannot guarantee that future issues will
be backported in this manner.

Credits

Thanks to Brian Mastenbrook for reporting the vulnerability to us, and Manfred Stienstra from Fingertips for his work with us on the fix.