Ruby Denial of Service patch breaks BigDecimal to_f method
Harvest is built on the Ruby on Rails web framework, as such we constantly monitor for security issues with the framework and the language itself. A Ruby Denial of Service (DoS) vulnerability was announced almost 24 hours ago. The security of Harvest accounts is our top priority. All Harvest services were upgraded quickly to close this security hole.
Dee Zsombor, one of the Harvest’s prime hackers, uncovered further issues with the fixed Ruby version 1.8.7, which is patch level 173. This upgrade includes a flawed
BigDecimal#to_f coercion method:
BigDecimal("10.03").to_f => 10.3
We are fairly confident Harvest users are not interested in this bizzaro-world version of rounding.
If you are running a Rails application and you have applied the Ruby 1.8.7 DoS patch, we’ve got the fix for you. Place the following hack in your
environment.rb file (or an initializer if you prefer):
if BigDecimal("10.03").to_f != 10.03 class BigDecimal def to_f self.to_s.to_f end end end
If your interpreter is broken like ours was, this will cure what ails it. Big thanks to Dee for writing up this fix.