January 3, 2013

Ruby on Rails SQL injection issue

An SQL injection vulnerability in all Ruby on Rails releases has been disclosed. "Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL." Fixes can be found in the 3.2.10, 3.1.9, and 3.0.18 releases. This seems like a good one to address quickly...Read more at LWN