Rails 3.2.22 did not receive a fix for CVE-2015-3226
<https://groups.google.com/forum/#!msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ>
but is listed as affected by it.
However I ran the test that ships in the patches for 4.1 and 4.2 with Rails
3.2.22 and it almost passes. Only difference is the case of hex characters
in escaped string.
So this test passes on 3.2.22 without any modifications.
def test_hash_keys_encoding
ActiveSupport.escape_html_entities_in_json = true
assert_equal "{\"\\u003c\\u003e\":\"\\u003c\\u003e\"}",
ActiveSupport::JSON.encode("<>" => "<>").downcase
ensure
ActiveSupport.escape_html_entities_in_json = false
end
Can someone please confirm if Rails 3.2.22 really is vulnerable in this
case or not?
Thanks!
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
