Your browser is no longer supported! Please upgrade your web browser now.

Ruby Denial of Service patch breaks BigDecimal to_f method

Harvest is built on the Ruby on Rails web framework, as such we constantly monitor for security issues with the framework and the language itself. A Ruby Denial of Service (DoS) vulnerability was announced almost 24 hours ago. The security of Harvest accounts is our top priority. All Harvest services were upgraded quickly to close this security hole.

Dee Zsombor, one of the Harvest’s prime hackers, uncovered further issues with the fixed Ruby version 1.8.7, which is patch level 173. This upgrade includes a flawed BigDecimal#to_f coercion method:

BigDecimal("10.03").to_f
=> 10.3

We are fairly confident Harvest users are not interested in this bizzaro-world version of rounding.

If you are running a Rails application and you have applied the Ruby 1.8.7 DoS patch, we’ve got the fix for you. Place the following hack in your environment.rb file (or an initializer if you prefer):

if BigDecimal("10.03").to_f != 10.03
 class BigDecimal
   def to_f
     self.to_s.to_f
   end
 end
end

If your interpreter is broken like ours was, this will cure what ails it. Big thanks to Dee for writing up this fix.

This was posted in Code.

3 Comments

Comments have been closed for this post.
Still have questions? Contact our support team →