[cam]

This is a huge vulnerability they found - you could arbitrarily execute Ruby code via public URLs.

Quote:

The cat is out of the bag, so here’s the full disclosure edition of the current security vulnerability. With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails. This means that you can essentially take down a Rails process by starting something like /script/profiler, as the code will run for a long time and that process will be hung while it happens. Other URLs can even cause data loss.

And if you're using engines, then you'll want to hold off on updating to 1.1.6, because ..

Quote:

These patches (and 1.1.6) will break applications using the 3rd party engines idea. So if you can’t upgrade because of dependencies to those, you can also add the following URL blocking while engines are being updated. Here’s how to do it with mod_rewrite under Apache:

RewriteRule ^(app|components|config|db|doc|lib|log|public|scri pt|test|tmp|vendor)/ - [F]

Here’s how to do it under lighttpd:
url.rewrite-once = ( "^/(app|components|config|db|doc|lib|log|public|scrip t|test|tmp|vendor)/" => "index.html" )

Full article here: http://weblog.rubyonrails.com/2006/8...ull-disclosure