Why are we still clobbering empty array parameters?
You may have noticed that ever since the CVE-2013-0155 security vulnerability, Rails has been clobbering empty (or all-nil
) arrays in parameters down to nil
.
Well, kinda. They stopped in 3.0 stable, but continue in Rails 3.1+. It’s time to stop the madness and just compact the nil
values across the board.
Comments
Wrong solution to the problem IMO. What you want is params validation. Would have been the right answer instead of attr_accessible too. It’s not the job of the model to guard against security issues which aren’t really model-related. That’s just poor separation of concerns.
Post a comment