---
title: 'Danger, danger: High Voltage vulnerability'
teaser: Version 1.2.0 of high_voltage is a security fix.
tags: news,web,ruby,open source,high_voltage
author: Mike Burns
published_on: 2012-09-10
---

Version 1.2.0 of high_voltage is a security fix. Please upgrade.

## Description

The [high_voltage](https://rubygems.org/gems/high_voltage) static page gem prior
to version 1.2.0 allows attackers to cause the Rails app to render arbitrary
files as if they are Erb. The attacker can trigger this [local file inclusion (LFI)](https://blog.detectify.com/2012/10/14/the-basics-of-local-file-inclusions/) through the use of
URL-encoded Unicode characters, which bypass the Ruby
[`Path#cleanpath`](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/pathname/rdoc/Pathname.html#method-i-cleanpath)
method.

## Solution

Upgrade to version 1.2.0 of high_voltage:

    bundle update high_voltage

## Workaround

If you cannot upgrade easily you can instead subclass
`HighVoltage::PagesController` to override the
[`current_page`](https://github.com/thoughtbot/high_voltage/blob/master/app/controllers/high_voltage/pages_controller.rb#L21-L23)
method and remove invalid characters manually. More details on overriding can
be found in the [high_voltage
documentation](https://github.com/thoughtbot/high_voltage#override).

## Acknowledgements

Thanks to [Jefferson Venerando](https://twitter.com/shamanime) for bringing the Unicode exploit to our attention.