The two HN posts didn't get many upvotes though: https://hn.algolia.com/?query=https:%2F%2Fweblog.rubyonrails...
Admittedly there is probably a lot of applications out there running outdated versions.
edit: Kind of surprising this gets upvoted while we rarely see things from exploit-db / fulldisclosure
I was under the impression the 'Accept:' header is a list of media types, so why would that be making filesystem calls? Or does Rails implicitly organize assets in a filesystem structure (something like ~/assets/audio or ~/assets/text)?
Also, if interested, direct link to patch fix:
Also as others pointed out, this is a pretty rare use of `render` (but any application large enough might have it).
You have to do something wrong to have the bug --- render a file without specifying the format --- but you have to do something extra to avoid that mistake, and the feature works just fine if you don't, so I'm not surprised that we've found it in real applications.
Or just, you know, looking in Github for anyone doing this and open sourcing their site.
v = v.select do |format|
format.symbol || format.ref == "*/*"
I'm thinking if I were writing this code in an application, and it looked this cryptic, I might at least add a comment noting what it was for. Not that people shouldn't look in git. But inline is easier to notice, no?
"Sorry, you have been blocked"
"This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data."
Apparently, Cloudflare's great at detecting threats. Bummer.
I strongly recommend using at least one tool to help you know when a publicly known vulnerability is reported in a component you use. Then you can update, run your automated test, and immediately ship. Modern systems are typically mostly reused code. Being unprepared for vulnerabilities in them is a little crazy, because you know that such things will happen.
But I could not without my fans blasting and overheating my laptop. The page is using js to continuously render a moving background.
Having things wandering across the screen draws the eye away from the content you are trying to read.