EDIT AGAIN: I think putting it at the end of environment.rb works. I somehow messed it up and got confused, but then I tried it again and it worked. Just make sure you confirm your fix with the curl command!
into environments.rb and re-deployed and that fixed it. Now when I run the curl command I get a parameter-less GET request in the log. I still do not understand why updating to 2.3.15 per the recommended method did not fix the problem, but at least our app doesn't need the xml in that way.
Are you running this test against your development or production site? I can't get it to run against my production site, (nothing appears in the log at all,) but I have triple checked everything and am still getting the same unwanted result against my development site.
Is Rails 1.X vulnerable at all? Tried running the snippet on a Rails 1.X app without any patches, and I got the id as a string, not an object. Why? The Rails guys seemingly implied 1.X is also vulnerable just that they don't give a damn about investigating what would fix it because it's too damn old.
Per pixeltrix's comment it appears that you're safe.
"If you mean that your Ruby on Rails version is 1.2.6 then, no the vulnerability does not affect you as the feature was introduced in Ruby on Rails 2.0"
Using the above curl command I was able to verify that an old rails 1.2.3 app that I pretend-maintain for a friend returned the ID as a string. Since it is a string and not an object, it's safe. That's all I know. From what I gather/conjecture, rails 1.x didn't have the functionality that caused this vulnerability in the first place.
I am not quite sure how those 2 lines interfer with my rails 2.0 app (we are using XML features). What exactly is being disabled here? What features will i not able to use anymore after applying this fix?
Rails 3.2.11 is OK. I upgraded a website to it and did nothing else and when I try the curl command ( curl -i -H "Content-Type: application/xml" -X POST -d '<id type="yaml">--- !ruby/object:ActionController::Base bar: 1</id>' http://example.com/ ) I see something like this in the production log:
Hash::DisallowedType (Disallowed type attribute: "yaml"):
activesupport (3.2.11) lib/active_support/core_ext/hash/conversions.rb:112:in `typecast_xml_value'
If you're running a very old version of rails, it might not be that easy to update to the latest rails version. In that case, just stick this in your config/environment.rb
I put mine in an intializers file.