RubyFlow : The Ruby Community Blog

Home   Submit   Sign Up   Log In   leaders   Twitter   RSS Feed  

Why are we still clobbering empty array parameters?

You may have noticed that ever since the CVE-2013-0155 security vulnerability, Rails has been clobbering empty (or all-nil) arrays in parameters down to nil.

Well, kinda. They stopped in 3.0 stable, but continue in Rails 3.1+. It's time to stop the madness and just compact the nil values across the board.


Wrong solution to the problem IMO. What you want is params validation. Would have been the right answer instead of attr_accessible too.
It's not the job of the model to guard against security issues which aren't really model-related. That's just poor separation of concerns.apeiros - March 05, 2013 17:39

Post a Comment

Comment abilities for non registered users are currently deactivated, pending time to add a proper CAPTCHA to solve the escalating spam problem. Sorry!