RubyFlow The Ruby and Rails community linklog


The Ruby and Rails community linklog

Made a library? Written a blog post? Found a useful tutorial? Share it with the Ruby community here or just enjoy what everyone else has found!

Why are we still clobbering empty array parameters?

You may have noticed that ever since the CVE-2013-0155 security vulnerability, Rails has been clobbering empty (or all-nil) arrays in parameters down to nil.

Well, kinda. They stopped in 3.0 stable, but continue in Rails 3.1+. It’s time to stop the madness and just compact the nil values across the board.


Wrong solution to the problem IMO. What you want is params validation. Would have been the right answer instead of attr_accessible too. It’s not the job of the model to guard against security issues which aren’t really model-related. That’s just poor separation of concerns.

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in