s4parke · February 6, 2013 13:59
diff --git a/xml_parser.rb b/xml_parser.rb
 # config/initializers/xml_parser.rb

 # There are multiple weaknesses in the parameter parsing code for Ruby on Rails which
 # allows attackers to bypass authentication systems, inject arbitrary SQL, inject
 # and execute arbitrary code, or perform a DoS attack on a Rails application.
 #
 #This vulnerability has been assigned the CVE identifier CVE-2013-0156.

 # https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ
 #
 # Workarounds
 # -----------
 # The workarounds differ depending on the Rails version you are using, and whether
 # or not your application needs to support XML Parameters.
 #
 # Disabling XML Entirely
 # ----------------------
 # Users who don't need to support XML parameters should disable XML parsing entirely
 # by placing one of the following snippets inside an application initializer:
 #
 # Rails 2.3
 # ---------

 ActionController::Base.param_parsers.delete(Mime::XML)

 # Removing YAML and Symbol support from the XML parser
 # ----------------------------------------------------
 # If your application must continue to parse XML you must disable the
 # YAML and Symbol type conversion from the Rails XML parser.
 #
 # For 2.x apps, check whether your app sets
 # `ActionController::Base.param_parsers[Mime::YAML] = :yaml`
 # and snip that out if it does.
 #
 # Rails 2.3
 # ---------

 # ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
 # ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')
	# config/initializers/xml_parser.rb

	# There are multiple weaknesses in the parameter parsing code for Ruby on Rails which
	# allows attackers to bypass authentication systems, inject arbitrary SQL, inject
	# and execute arbitrary code, or perform a DoS attack on a Rails application.
	#
	#This vulnerability has been assigned the CVE identifier CVE-2013-0156.

	# https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ
	#
	# Workarounds
	# -----------
	# The workarounds differ depending on the Rails version you are using, and whether
	# or not your application needs to support XML Parameters.
	#
	# Disabling XML Entirely
	# ----------------------
	# Users who don't need to support XML parameters should disable XML parsing entirely
	# by placing one of the following snippets inside an application initializer:
	#
	# Rails 2.3
	# ---------

	ActionController::Base.param_parsers.delete(Mime::XML)

	# Removing YAML and Symbol support from the XML parser
	# ----------------------------------------------------
	# If your application must continue to parse XML you must disable the
	# YAML and Symbol type conversion from the Rails XML parser.
	#
	# For 2.x apps, check whether your app sets
	# `ActionController::Base.param_parsers[Mime::YAML] = :yaml`
	# and snip that out if it does.
	#
	# Rails 2.3
	# ---------

	# ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
	# ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')