There is a segfault bug in ruby’s big decimal library which can be triggered by users providing known-bad values. If you wish to test whether your application is secure run example.rb. This script should exit normally, not segfault.
The workaround has negative side-effects. Specifically it prevents you from using BigDecimal to deal with large numbers (more than 255 digits) or from providing the numbers in scientific notation (e.g. “5E6” for 5000000). If you require those features you must upgrade to a patched ruby.
You are strongly advised to upgrade ruby following the instructions on the ruby site. This work around is only intended for temporary use.
- 1.8.6-p368 and all prior versions
- 1.8.7-p160 and all prior versions
- All 1.9.1 versions are safe
This fix is available as a gem from github. To install it you should run the following commands:
$ gem sources -a http://gems.github.com $ sudo gem install NZKoz-bigdecimal-segfault-fix
Then in your code add:
gem 'NZKoz-bigdecimal-segfault-fix' require 'bigdecimal-segfault-fix'
To apply this fix to a Rails Application you can simply copy the bigdecimal-segfault-fix.rb file into your config/initializers directory.