|
|
|
|
|
|
by adamonduty
4905 days ago
|
|
|
For this very reason I patched a version of Rails 3.2.8 with the following patch files distributed by the ror-security mailing list[1]: 3-2-dynamic_finder_injection.patch
3-2-null_array_param.patch
3-2-xml_parsing.patch The changelogs didn't cleanly apply but everything else did. In your Gemfile, gem 'rails', :git => 'git://github.com/adamonduty/rails', :branch => '3.2.8_with_security_patches' This will install version 3.2.8a. If you get a bundler error "NoMethodError: undefined method [] for nil:NilClass", try upgrading your rubygems-bundler gem to version 1.1.0. See https://github.com/adamonduty/rails/tree/3.2.8_with_security... for the commits. Given the number of changes and known issues in 3.2.9, I don't understand why the core team didn't perform a similar release. [1] https://groups.google.com/forum/?fromgroups=#!topic/rubyonra... |
|
|