Hi everyone,
Rails was recently released because of these two security problems:
* CVE-2012-2660 Ruby on Rails Active Record Unsafe Query Generation Risk
* CVE-2012-2661 Ruby on Rails Active Record SQL Injection Vulnerability
(see the ruby-lang mailing list)
Is Datamapper vulnerable to any of those? More specifically, does
Datamapper allow special strings to translate into 'is null'?
The documentation at http://datamapper.org/docs/find.html would suggest
that it is at least vulnerable to the second attack where a hash is
crafted to query other tables than those immediately mentioned in the
controller code.
Anyone got the time to look into this?
regards,
kaspar
--
You received this message because you are subscribed to the Google Groups
"DataMapper" group.
To post to this group, send email to datamapper@googlegroups.com.
To unsubscribe from this group, send email to
datamapper+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/datamapper?hl=en.
