Skip to content
Browse files

Don't symbolize tainted data.

`I18n.locale=` symbolizes its argument, so passing it `params[:locale]`
allows one to DOS your application by visiting `...?locale=` URLS
repeatedly, with unique values, until the never-GCed symbols monopolize
the available memory.
  • Loading branch information...
1 parent b12c1b8 commit ec0664a6eb8906fcd31a53a1efad69bdc7fe6f5b @devlinzed devlinzed committed Feb 11, 2014
Showing with 5 additions and 1 deletion.
  1. +5 −1 guides/source/
6 guides/source/
@@ -145,7 +145,11 @@ The _setting part_ is easy. You can set the locale in a `before_action` in the `
before_action :set_locale
def set_locale
- I18n.locale = params[:locale] || I18n.default_locale
+ if %w[en fr].include?(params[:locale])
+ I18n.locale = params[:locale]
+ else
+ I18n.locale = I18n.default_locale
+ end

7 comments on commit ec0664a


This is a security issue. Are we going to see a rails update in the next days? Is there a CVE?

Ruby on Rails member

This doc change has been reverted as I18n already takes care of validating the locales, and was already released with latest Rails versions. Just make sure you have an updated I18n gem.


we are talking about CVE-2013-4492, right?

Ruby on Rails member

No. This CVE is about something else. I think this i18n change doesn't have any CVE assigned.


do you know which commits are the fixes in i18n?

Ruby on Rails member
Please sign in to comment.
Something went wrong with that request. Please try again.