Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Applying the CVE-2013-0156 security fix to Rails 3.2.10 by hand, create this initializer.
# There are multiple weaknesses in the parameter parsing code for Ruby on Rails
# which allows attackers to bypass authentication systems, inject arbitrary SQL,
# inject and execute arbitrary code, or perform a DoS attack on a Rails application.
# This vulnerability has been assigned the CVE identifier CVE-2013-0156.
# Limit the risk of entity explosion attacks
# I imagine 1.9.3-p327 has been patched by now, but the limit is still 10,000 by default.
REXML::Document.entity_expansion_limit = 1000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.