

Rails 4.0.9 and 4.1.5 have been released - tweakz
http://weblog.rubyonrails.org/2014/8/18/Rails_4_0_9_and_4_1_5_have_been_released/

======
dmix
Briefly searching Github for create_with it seems to be mostly used with seed
data and or test factory models.

[https://github.com/search?l=Ruby&q=create_with&ref=cmdform&t...](https://github.com/search?l=Ruby&q=create_with&ref=cmdform&type=Code&utf8=%E2%9C%93)

Although quite a few taking raw user input. I'd imagine not all of them are
Rails 4+ though.

------
Siecje
I'm impressed with how few issues Rails has right now.

~~~
scott_karana
I agree! I last updated to 4.1.1, and none of the security patches since then
have been relevant to my codebase or included gems, so far.

~~~
stouset
Don't be so sure with this one. They only disclosed the `create_with` issue,
but `where(params).create` was also vulnerable. Unfortunately, the latter is
much harder to search for and more likely to be used since `where` is
seemingly safe.

~~~
scott_karana
I have a very, very small codebase for my single application, so I'm sure: RoR
beginner here, it's my first project. ;)

But that's a pretty thoughtful warning for others, upvoted!

------
stouset
I reported this.

Curiously, they patched (but didn't disclose) the more severe half of this
bug. Calls to `Model.where(params).create` also don't protect against mass-
assignment. I believe this pattern is both _much_ more prevalent and hard to
detect.

------
lectrick
Now with less TDD!

