Applying the CVE-2013-0156 security fix to Rails 3.2.10 by hand, create this initializer.
|# There are multiple weaknesses in the parameter parsing code for Ruby on Rails|
|# which allows attackers to bypass authentication systems, inject arbitrary SQL,|
|# inject and execute arbitrary code, or perform a DoS attack on a Rails application.|
|# This vulnerability has been assigned the CVE identifier CVE-2013-0156.|
|# Limit the risk of entity explosion attacks|
|# I imagine 1.9.3-p327 has been patched by now, but the limit is still 10,000 by default.|
|REXML::Document.entity_expansion_limit = 1000|