<div dir="ltr">I've seen this floating around on Twitter today.<div><br></div><div style>Never used it, but it could be a half solution for those who can't upgrade rails version</div><div style><br></div><div style>
<a href="https://github.com/rkh/almost-rack-protection">https://github.com/rkh/almost-rack-protection</a><br></div><div style><br></div><div style>Source: <a href="https://twitter.com/konstantinhaase/status/289006486133276672">https://twitter.com/konstantinhaase/status/289006486133276672</a></div>
<div style><br></div><div style>Nic</div></div><div class="gmail_extra"><br clear="all"><div>--<br>Nicolas Alpi, web developer, cookies eater<br><a href="http://www.wealsodocookies.com" target="_blank">http://www.wealsodocookies.com</a></div>
<br><br><div class="gmail_quote">On Wed, Jan 9, 2013 at 10:13 AM, Matthew Rudy Jacobs <span dir="ltr"><<a href="mailto:matthewrudyjacobs@gmail.com" target="_blank">matthewrudyjacobs@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><p dir="ltr">On 9 Jan, 2013 4:30 AM, "Najaf Ali" <<a href="mailto:ali@happybearsoftware.com" target="_blank">ali@happybearsoftware.com</a>> wrote:<br>
><br>
> +1, this vulnerability allows you to run more or less whatever code you like in any application, even if you don't have controllers.</p>
</div><p dir="ltr">I think this bit is interesting.<br>
<br>
Parameters get parsed before a route is matched. And this vulnerability occurs right at this point. <br>
</p>
<br>_______________________________________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org">Chat@lists.lrug.org</a><br>
<a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" target="_blank">http://lists.lrug.org/listinfo.cgi/chat-lrug.org</a><br>
<br></blockquote></div><br></div>