np, also FYI Bryan Helmkanp added a security monitor to his already excellent code climate: https://codeclimate.com/security-monitor
- Matt On Mon, Feb 11, 2013 at 1:36 PM, Adam Grant <[email protected]> wrote: > Ahh, thanks for catching that, Matt! > > - Adam > > > On Mon, Feb 11, 2013 at 11:44 AM, Matt Aimonetti > <[email protected]>wrote: > >> and "serialize" is also affected :) Lots of good security fixes going on >> at the moment. It's annoying to have to update our apps, but I'm really >> glad these security holes are being found and patched. >> >> - Matt >> >> >> On Mon, Feb 11, 2013 at 11:14 AM, Adam Grant <[email protected]>wrote: >> >>> Hi Gang, >>> >>> A new Rails bug was exposed and a fix has been released in the form of >>> Rails v3.2.12: >>> >>> >>> http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ >>> >>> Seem's to only affect "attr_protected" usage. >>> >>> They say the JSON gem also has a security fix in the article, and to >>> upgrade that as well. >>> >>> From activerecord/CHANGELOG.md: >>> >>> +## Rails 3.2.12 (unreleased) ## >>> +* Quote numeric values being compared to non-numeric columns. >>> Otherwise, >>> + in some database, the string column values will be coerced to a >>> numeric >>> + allowing 0, 0.0 or false to match any string starting with a >>> non-digit. >>> + Example: >>> + App.where(apikey: 0) # => SELECT * FROM users WHERE apikey = '0' >>> >>> + *Dylan Smith* >>> >>> >>> - Adam >>> >>> -- >>> -- >>> SD Ruby mailing list >>> [email protected] >>> http://groups.google.com/group/sdruby >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "SD Ruby" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >>> >> >> -- >> -- >> SD Ruby mailing list >> [email protected] >> http://groups.google.com/group/sdruby >> --- >> You received this message because you are subscribed to the Google Groups >> "SD Ruby" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby > --- > You received this message because you are subscribed to the Google Groups > "SD Ruby" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
