Eric Hodel wrote:
> On Aug 10, 2006, at 9:58 AM, William Grosso wrote:
> 
>>    who are really concerned about what the patch might contain have  
>> would have
>> been more questionable, and put more applications at risk).
>>
>> They've given us an amazing framework, and they're behaving  
>> responsibly.
>>
>> I, for one, want to publicly say "Thank you."
> 
> This is the fourth vulnerability that I know in Rails of but the
> first that has been fully acknowledged as such.

There's another one open:
http://wrath.rubyonrails.org/pipermail/rails-core/2006-July/002077.html

It's not as easily exploitable as the one that was fixed in 1.1.5, but 
depending on the application it can be very dangerous, e.g. if the 
string is used in a system call or in a SQL statement. I posted the 
description and a fully tested and documented patch on the Rails-Core 
list and on the bug tracker more than two weeks ago, with the tag 
"Security" in the subject, but so far there hasn't even been a reaction 
from the core developers.

-- 
Posted via http://www.ruby-forum.com/.