Rails 3.2.22 did not receive a fix for CVE-2015-3226 but is listed as affected by it.
However I ran the test that ships in the patches for 4.1 and 4.2 with Rails 3.2.22 and it almost passes. Only difference is the case of hex characters in escaped string.
So this test passes on 3.2.22 without any modifications.
def test_hash_keys_encoding
ActiveSupport.escape_html_entities_in_json = true
assert_equal "{\"\\u003c\\u003e\":\"\\u003c\\u003e\"}", ActiveSupport::JSON.encode("<>" => "<>").downcase
ensure
ActiveSupport.escape_html_entities_in_json = false
end
Can someone please confirm if Rails 3.2.22 really is vulnerable in this case or not?
Thanks!
