An SQL injection vulnerability in all Ruby on Rails releases has been disclosed. “Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.” Fixes can be found in the 3.2.10, 3.1.9, and 3.0.18 releases. This seems like a good one to address quickly…Read more at LWN
