Turns out sending XML- or YAML-formatted paramters yields all sorts of nasty side effects including arbitrary remote code execution.
Disable XML and YAML parsing in all Rails applications if you don't need it, and upgrade now. All version of Rails are affected. Read a technical analysis here.
(*sigh* sometimes I yearn for Perl which has had taint mode since 1989...)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds