> On 20/10/2014, at 1:46 pm, Justin Gordon <justin.gor...@gmail.com> wrote: > > YIKES! Rails 4.1.5 requires safe params for calling Model.where(object_that > is_Hash). > > I documented the details here: > > http://forum.railsonmaui.com/t/rails-4-1-5-security-fix-breaks-model-where-attributes/110 > > Was it expected that we needed to worry about safe_params for Model.where > starting with 4.1.5? Possibly that should go into the release notes?
Hi, Yes, it was intentional: https://groups.google.com/forum/#!topic/rubyonrails-security/M4chq5Sb540 <https://groups.google.com/forum/#!topic/rubyonrails-security/M4chq5Sb540> It closes a security hole in a slightly peculiar piece of functionality where you can do: Model.where(name: “Koz”).create which would break pretty badly if you used Model.where(params[:attributes]).create. In hindsight this should definitely have been documented a little more clearly. — Cheers, Koz
smime.p7s
Description: S/MIME cryptographic signature
