4.1.5 requires Model.where(hash_attributes) to use sanitized params

YIKES! Rails 4.1.5 requires safe params for calling Model.where(object_that is_Hash).

I documented the details here:


Was it expected that we needed to worry about safe_params for Model.where starting with 4.1.5? Possibly that should go into the release notes?


Yes, it was intentional: https://groups.google.com/forum/#!topic/rubyonrails-security/M4chq5Sb540

It closes a security hole in a slightly peculiar piece of functionality where you can do: Model.where(name: “Koz”).create which would break pretty badly if you used


In hindsight this should definitely have been documented a little more clearly.