On Oct 14, 3:08 pm, Jeremy Evans <[email protected]> wrote: > Just in case you were wondering, the recent ActiveRecord nested > attributes vulnerability (http://groups.google.com/group/rubyonrails- > security/browse_thread/thread/f9f913d328dafe0c, patch > athttp://github.com/rails/rails/commit/9ebe582830fd0386e09a917d81eb6cff...) > does not apply to Sequel's nested_attributes plugin. When I initially > wrote the nested_attributes plugin, I anticipated the vulnerability > and protected against it by checking that the records to be modified > were already associated (http://github.com/jeremyevans/sequel/commit/ > 412115d8706bba4a25dcda32ffde08f68b5f7ccc#L3R95).
It looks like they still haven't fixed the vulnerability I fixed a year ago, though (http://github.com/jeremyevans/sequel/commit/ 025e60d1f202c14323e9fd82e1f5db7018721f61). Jeremy -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sequel-talk?hl=en.
