LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ruby on Rails SQL injection issue

Ruby on Rails SQL injection issue

Posted Jan 8, 2013 23:12 UTC (Tue) by job (guest, #670)
Parent article: Ruby on Rails SQL injection issue

Turns out sending XML- or YAML-formatted paramters yields all sorts of nasty side effects including arbitrary remote code execution.

Disable XML and YAML parsing in all Rails applications if you don't need it, and upgrade now. All version of Rails are affected. Read a technical analysis here.

(*sigh* sometimes I yearn for Perl which has had taint mode since 1989...)

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds