Versions affected by CVE-2015-3226

Rails 3.2.22 did not receive a fix for CVE-2015-3226 but is listed as affected by it.

However I ran the test that ships in the patches for 4.1 and 4.2 with Rails 3.2.22 and it almost passes. Only difference is the case of hex characters in escaped string.

So this test passes on 3.2.22 without any modifications.

    def test_hash_keys_encoding
ActiveSupport.escape_html_entities_in_json = true
assert_equal "{\"\\u003c\\u003e\":\"\\u003c\\u003e\"}", ActiveSupport::JSON.encode("<>" => "<>").downcase
ActiveSupport.escape_html_entities_in_json = false

Can someone please confirm if Rails 3.2.22 really is vulnerable in this case or not?


You are correct! Rails < 4.1 is not affected. Sorry for the confusion!

Godfrey (Rails core team)