Hi,
I think there is still a major vulnerability exists in the latest Rails 1.1.5.
The problem is in the routing.rb file and safe_load_paths method.
Because of the erroneous regexp it is possible to perform a DOS attack
on any rails application.
To reproduce:
1. start your application
2. use th
I've upgraded my rails apps to 1.1.5, however they still seem to be
effected by a major vulnerability (not sure if its the same one that
is supposed to be fixed by 1.1.5 or a new one). can someone contact
me directly when they get a chance?
thanks
___
The cat is out of the bag, so here's the full disclosure edition of
the current security vulnerability. With Rails 1.1.0 through 1.1.5
(minus the short-lived 1.1.3), you can trigger the evaluation of Ruby
code through the URL because of a bug in the routing code of Rails.
This means that you can e
* David Heinemeier Hansson ([EMAIL PROTECTED]) wrote:
> The cat is out of the bag, so here's the full disclosure edition of
> the current security vulnerability.
Would it be worth starting a rails-announce list that all users
could be encouraged to subscribe to? I guess there are s
Hi,
I have been watching for any development in Prototype.js. The last
time I was able to check Rails trac (which seems to be down now), it
has been a long time since any substantial changes were to
Prototype.js. Sam Stevenson seems to be the sole maintainer but his
elusiveness makes this feel li
Would it be worth starting a rails-announce list that all users
could be encouraged to subscribe to? I guess there are still
people who haven't heard about this yet, and also guess that
they'd be more likely to sign up for a low-traffic announce list
than th
