Rails 1.1.5 is still broken, here’s a workaround
Apparently Rails 1.1.5 is still broken. It fixed one attack but left a couple other holes open. Piers has a workaround that should work for any Rails app.
Now would be a great time to fix this, because the exploit is fairly obvious right now.