Ruby Denial of Service patch breaks BigDecimal to_f method

Harvest is built on the Ruby on Rails web framework, as such we constantly monitor for security issues with the framework and the language itself. A Ruby Denial of Service (DoS) vulnerability was announced almost 24 hours ago. The security of Harvest accounts is our top priority. All Harvest services were upgraded quickly to close this security hole.

Dee Zsombor, one of the Harvest’s prime hackers, uncovered further issues with the fixed Ruby version 1.8.7, which is patch level 173. This upgrade includes a flawed BigDecimal#to_f coercion method:

BigDecimal("10.03").to_f
=> 10.3

We are fairly confident Harvest users are not interested in this bizzaro-world version of rounding.

If you are running a Rails application and you have applied the Ruby 1.8.7 DoS patch, we’ve got the fix for you. Place the following hack in your environment.rb file (or an initializer if you prefer):

if BigDecimal("10.03").to_f != 10.03
 class BigDecimal
   def to_f
     self.to_s.to_f
   end
 end
end

If your interpreter is broken like ours was, this will cure what ails it. Big thanks to Dee for writing up this fix.

3 Comments so far
Comments have been closed.
The HARVEST Blog News & small business tips from your beloved time tracking & invoicing app.