YIKES! Rails 4.1.5 requires safe params for calling Model.where(object_that is_Hash).
I documented the details here:
http://forum.railsonmaui.com/t/rails-4-1-5-security-fix-breaks-model-where-attributes/110
Was it expected that we needed to worry about safe_params for Model.where starting with 4.1.5? Possibly that should go into the release notes?
Hi,
Yes, it was intentional: https://groups.google.com/forum/#!topic/rubyonrails-security/M4chq5Sb540
It closes a security hole in a slightly peculiar piece of functionality where you can do: Model.where(name: “Koz”).create which would break pretty badly if you used
Model.where(params[:attributes]).create.
In hindsight this should definitely have been documented a little more clearly.
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks