Rails 1.1.5 is still broken, here's a workaround

Posted by Scott Laird Thu, 10 Aug 2006 16:28:07 GMT

Apparently Rails 1.1.5 is still broken. It fixed one attack but left a couple other holes open. Piers has a workaround that should work for any Rails app.

Now would be a great time to fix this, because the exploit is fairly obvious right now.

Tags ,  | 4 comments

Comments

  1. mike said about 1 hour later:

    Should I take it as a bad sign that Piers’ site is throwing up 500 “Application error (Rails)” messages? :-)

  2. Scott Laird said about 1 hour later:

    Sigh. Bad timing–he just started an update and found a bug in some semi-unrelated work.

  3. ferd said about 4 hours later:

    I got Rails 1.1.6 installed. What’s the cleanest way to force Typo to use it (instead of 1.1.5) ?

  4. Scott Laird said about 4 hours later:

    rake rails:freeze:gems should do it.

RSS feed for this post

Comments are disabled