Working round the Rails showstopper

Posted by Piers Cawley on Aug 8, 2006

So, it turns out that the rush released Rails 1.1.5 doesn’t actually fix the security problem. Worse, it seems that the problem lies somewhere in the nest of serpents that is the routing system. It turns out that some of the magic that lets everything work in nice ways doesn’t do enough to make sure that malicious people can make everything work in nasty ways.

The problem lies in the route that everyone has in their routes.rb: