Skip to content

Commit

Permalink
Fix 'Security#Mass Assignment' URL typo
Browse files Browse the repository at this point in the history
  • Loading branch information
@abevoelker @vijaydev
abevoelker authored and vijaydev committed Mar 26, 2012
1 parent eb0d8ee commit ed7567c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion railties/guides/source/security.textile
View file
Expand Up @@ -374,7 +374,7 @@ end
Mass-assignment saves you much work, because you don't have to set each value individually. Simply pass a hash to the +new+ method, or +assign_attributes=+ a hash value, to set the model's attributes to the values in the hash. The problem is that it is often used in conjunction with the parameters (params) hash available in the controller, which may be manipulated by an attacker. He may do so by changing the URL like this:

<pre>
"name":http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
</pre>

This will set the following parameters in the controller:
Expand Down

0 comments on commit ed7567c

Please sign in to comment.