The release of Ruby on Rails 1.2.4 addresses some potential security issues, all users of earlier versions are advised to upgrade to 1.2.4.
The following issues have been addressed:
- URL-based sessions are no longer enabled by default, as it allowed users to provide their session_id in the URL as well as cookies. The functionality could be exploited by a malicious user to obtain an authenticated session.
Use config.action_controller.session_options[:cookie_session_id_only] = false to re-enable it - Changed the JSON encoding algorithms to avoid potential XSS issues when using ActiveRecord::Base#to_json
- Potential Information Disclosure or DoS with Hash#from_xml: Maliciously crafted requests to a Rails application could cause the XML parser to read files from the server's disk or the network. 1.2.4 removes this functionality entirely.
