> I'm surprised that it was included after the earlier security advisory about
> this issue said only Rails 4 would get chances to mitigate it. Did the risk
> assessment get worse or is it just doing whatever we can to improve the
> situation?
>
I'm sorry if I was unclear in the advisory, it was always the intention:
> Future releases of Rails will contain changes to mitigate the risk of
> this class of vulnerability, however as long as this feature is still
> supported this risk will remain.
This release was in the future, however I can see how you might have taken that
to only mean 4.0
>
> I've posted my 2c on the corresponding pull request,
> https://github.com/rails/rails/pull/9207. Doesn't feel like a safe approach
> to me, and it's broken basic join conditions when there's table aliasing.
>
>
>
Yeah, in the event there's no *pre queried* tables, we should just revert to
the 'raw' quoting we do now. This should be something where we quote safely
wherever we can, but revert to going 'bareback' when we don't know.
--
Cheers,
Koz
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
