Permalink
Browse files

Fix 'Security#Mass Assignment' URL typo

  • Loading branch information...
1 parent eb0d8ee commit ed7567ca7aa4ea3f29236229f4c1d366550a0c5c @abevoelker abevoelker committed with vijaydev Mar 9, 2012
Showing with 1 addition and 1 deletion.
  1. +1 −1 railties/guides/source/security.textile
@@ -374,7 +374,7 @@ end
Mass-assignment saves you much work, because you don't have to set each value individually. Simply pass a hash to the +new+ method, or +assign_attributes=+ a hash value, to set the model's attributes to the values in the hash. The problem is that it is often used in conjunction with the parameters (params) hash available in the controller, which may be manipulated by an attacker. He may do so by changing the URL like this:
<pre>
-"name":http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
+http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
</pre>
This will set the following parameters in the controller:

0 comments on commit ed7567c

Please sign in to comment.