You are correct! Rails < 4.1 is not affected. Sorry for the confusion!
Godfrey (Rails core team) — Sent from Mailbox On Fri, Jun 19, 2015 at 7:30 PM, Nemanja Čorlija <[email protected]> wrote: > Rails 3.2.22 did not receive a fix for CVE-2015-3226 > <https://groups.google.com/forum/#!msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ> > > but is listed as affected by it. > However I ran the test that ships in the patches for 4.1 and 4.2 with Rails > 3.2.22 and it almost passes. Only difference is the case of hex characters > in escaped string. > So this test passes on 3.2.22 without any modifications. > def test_hash_keys_encoding > ActiveSupport.escape_html_entities_in_json = true > assert_equal "{\"\\u003c\\u003e\":\"\\u003c\\u003e\"}", > ActiveSupport::JSON.encode("<>" => "<>").downcase > ensure > ActiveSupport.escape_html_entities_in_json = false > end > Can someone please confirm if Rails 3.2.22 really is vulnerable in this > case or not? > Thanks! > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
