01 Jun '12, 3pm

time to update your clearance gem if you haven't applied the latest rails update. #rails #security

June 1, 2012 Tagged: clearance security sql injection nil Comments (View) Clearance 0.16.3 fixes a password reset vulnerability The new release of Clearance works around the latest Rails SQL injection . Upgrade to Clearance 0.16.3 for the security fix. gem 'clearance', '~> 0.16.3' Background In Clearance we generate a confirmation_token when you forget your password, and clear it when you successfully reset your password. In the controller we find the user like this: @user = User.find_by_id_and_confirmation_token(params[:user_id], params[:token]) This approximately translates to this ARel query: User.where(:id => params[:user_id], :confirmation_token => params[:token]) Normally this generates perfectly safe SQL: SELECT users.* FROM users WHERE users.id = 1 AND users.confirmation_token = 'hello' LIMIT 1 Exploit If params[:token] is a list with one nil element, the generated...

Full article: http://robots.thoughtbot.com/post/24197949040/clearance-0...

Tweets

clearance (0.16.3): Rails authentication & auth...

rubygems.org 01 Jun '12, 1pm

Dan Croak, Mike Burns, Jason Morrison, Joe Ferris, Eugene Bolshakov, Nick Quaranto, Josh Nichols, Mike Breen, Jon Yurek, C...

please? :3

please? :3

modparade.com 03 Jun '12, 5am

A vintage inspired dress. This peterpan collar design dress comes with a define waist line, slight pleated skirt, back con...

pretty pretty dress :3

pretty pretty dress :3

modparade.com 03 Jun '12, 5am

An asymmetrica design dress. This dress comes with a cape like collar with an elastic waist band. It also comes with an ar...

Ruby vulnerability with RegExps

rubyflow.com 01 Jun '12, 1pm

Ruby vulnerability with RegExps Posted by gravis on June 01, 2012 — 4 comments We just learned from http://habrahabr.ru/po...

What’s New in Edge Rails #23: Week of May 28 -J...

afreshcup.com 04 Jun '12, 4pm

It was a fairly quiet week on the Rails front. Well, if you don't count multiple non-edge dot releases for security fixes....

7-10 June 2012, Branded Toys Warehouse Clearanc...

shoppingnsales.com 08 Jun '12, 2am

Home About Us RSS 1Malaysia Mega Sale Carnival 2012 warehousesales