Adam, Thanks for posting!
-- Ylan Segal [email protected] On Monday, February 11, 2013 at 11:14 AM, Adam Grant wrote: > Hi Gang, > > A new Rails bug was exposed and a fix has been released in the form of Rails > v3.2.12: > > http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ > > > Seem's to only affect "attr_protected" usage. > > They say the JSON gem also has a security fix in the article, and to upgrade > that as well. > > From activerecord/CHANGELOG.md (http://CHANGELOG.md): > > +## Rails 3.2.12 (unreleased) ## > +* Quote numeric values being compared to non-numeric columns. Otherwise, > + in some database, the string column values will be coerced to a numeric > + allowing 0, 0.0 or false to match any string starting with a non-digit. > + Example: > + App.where(apikey: 0) # => SELECT * FROM users WHERE apikey = '0' > > + *Dylan Smith* > > > - Adam > > -- > -- > SD Ruby mailing list > [email protected] (mailto:[email protected]) > http://groups.google.com/group/sdruby > --- > You received this message because you are subscribed to the Google Groups "SD > Ruby" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > (mailto:[email protected]). > For more options, visit https://groups.google.com/groups/opt_out. > > -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
