|
|
|
|
|
|
by huxley
5003 days ago
|
|
|
Hard to tell from the post, but it sounds like Rails gave an Exception because it couldn't find should_group_accessibility_children, but that suggests that it would act on something it could find. If there was a parameter that gave a user admin access, then Rails might accept such a parameter and that might be used to take control of the app. It's similar to what happened to Github. https://github.com/rails/rails/issues/5228 I would think that the API would validate the POST parameters, ignore unexpected parameters and give errors for malformed expected ones. Taking it a bit further the developer should then be notified of malformed POST parameters being present and decide if it is a bug or an attack. |
|
|