But is this branch now officially closed?
Strip [nil] from parameters hash
I don't think that we will do another release. But I think that we can merge this in the 2-3-stable branch.
cc/ @tenderlove @jeremy
I just tried to fix this on my own and then found your pull request.
Any reason you put the call to deep_munge inside normalize_parameters instead of overriding parse_query like it was done in the 3.0 patch? Your tests pass. I basically copied the 3.0 patch including overriding parse_query and that passes too (boone@672933f). I'm afraid I haven't had time to study the Rack code to see if the difference is significant.
@sebbacon I created a monkey patch based on your code. I ran into errors trying to monkey patch the parse_query method but your way seems to work.
It would be great to see your patch merged into the stable branch and maybe's its a good reason for one last point release. The stable branch has a few other post-2.3.14 changes anyway.
stripping from [nil] is not a solution from those vulnerabilites, you need strip them all
@boone, there may be better ways of doing it, but I've made the assumption that mine is Good Enough given that it causes the tests to pass.
@homakov these fixes are based on the same code that fixed the vulnerability in Rails 3.x. If it is a flawed solution for all of Rails, you should probably open a new issue. This pull request will probably be ignored by most people as it applies to Rails 2.3.
@sebbacon you're right, the tests are passing. I'm going to run with it for now. Thanks!
current PR is out of date. you should either update it with current working solution(we patched AR and used compact!) either close :)
OK - got a link to the current working solution please?
2.3 is no longer supported, we publish patches as possible but will no longer make releases and no longer guarantee fixes.