Pushion have a write up explaining how this is not as scary as it might seem and how it’s actually exploited. Though you should probably upgrade as soon as possible just in case.
Apparently there is a second part to this which is that Rails accepts input with certain MIME types and automatically decodes it – namely JSON and XML:
And using those, you can somehow get a hash with symbols into params, which would exploit the vulnerability in AR’s find_*. Egor claims YAML too but I don’t see that in the default list of parsers.
to config/application.rb will disable the JSON/XML parsers until a proper fix comes along. I’m still not sure if this is fixed by Rails/AR 3.2.10 or if this is an additional vulnerability.
Pushion have a write up explaining how this is not as scary as it might seem and how it’s actually exploited. Though you should probably upgrade as soon as possible just in case.
Apparently there is a second part to this which is that Rails accepts input with certain MIME types and automatically decodes it – namely JSON and XML:
And using those, you can somehow get a hash with symbols into
params, which would exploit the vulnerability in AR’sfind_*. Egor claims YAML too but I don’t see that in the default list of parsers.I haven’t had time to dig into this, but adding:
to
config/application.rbwill disable the JSON/XML parsers until a proper fix comes along. I’m still not sure if this is fixed by Rails/AR 3.2.10 or if this is an additional vulnerability.