The Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web framework. New releases of Ruby on Rails - 3.2.10, 3.1.9 and 3.0.18 - are now available. It is recommended that all users update immediately. For users unable to update, there are patches available for supported versions 3.2 and 3.1 and older versions 3.0 and 2.3.
The problem, according to the advisory, is that, because of the way dynamic finders in ActiveRecord extract options from method parameters, a method parameter can be used as a scope and by carefully manipulating that scope, users can inject arbitrary SQL. Dynamic finders use the method name to determine what field to search, so calls such as:
would be vulnerable to an attack. The original problem was disclosed on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework.
SQL Injection Flaw Haunts All Ruby on Rails Versions
Ruby on Rails security updates address SQL injection flaw
All Ruby on Rails versions affected by SQL injection flaw
See Vulnerabilities & Fixes: Ruby on Rails Method Parameters SQL Injection Vulnerability
Help, my PC with Windows 10 won't shut down properly
Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?