search for: safe_load_path

Hi, I think there is still a major vulnerability exists in the latest Rails 1.1.5. The problem is in the routing.rb file and safe_load_paths method. Because of the erroneous regexp it is possible to perform a DOS attack on any rails application. To reproduce: 1. start your application 2. use this url: http://localhost:3000/debug Routing module will load standard debug.rb script which stops a dispatcher process waiting for a terminal...

...into the void, without the slightest inkling of who or what is out here. Please replace your copy of engines with the 1.1 release branch: cd /path/to/my/app/vendor/plugins rm -fr engines svn co http://svn.rails-engines.org/engines/branches/rb_1.1 engines This patch changes the behaviour of safe_load_paths to use the Configuration#controller_paths array, which isn''t currently used by Rails. Odd, that. So now, the engines plugin patches Rails to actually use that configuration option as it would appear to have been intended. A side effect is that you can add additional paths to controllers i...

Dear Rails team, The handling of the recent vulnerability in Rails has proven somewhat problematic for us. We have recently adopted Rails as our web platform of choice; previously, we used J2EE. We love Rails. We hate J2EE. We don''t want to go back. It took a lot of effort and convincing to get the management teams of our various projects to sign off on the use of Rails. The