Even though this vulnerability was announced on July 17th, I just happened to stumble on a tweet about it.
The important bit to look at in the source is this
diff --git a/api/lib/spree/api/responders/rabl_template.rb b/api/lib/spree/api/responders/rabl_template.rb index 4a061f4..0b0d31c 100644 --- a/api/lib/spree/api/responders/rabl_template.rb +++ b/api/lib/spree/api/responders/rabl_template.rb @@ -14,7 +14,7 @@ module Spree end def template - request.headers['X-Spree-Template'] || controller.params[:template] || options[:default_template] + options[:default_template] end
So, it makes sense that any template can be asked for either via the
X-Spree-Template header or
I wanted to verify this, and spun up a copy of Spree I had on my disk, and toyed a bit with a spec, asking for the
README.md file in the Spree app rep ...(continued)