sergiotapia

Host Name          IP Address/URL                  Record Type
@                  http://www.YOUR-DOMAIN.com      URL Redirect
www                heroku-app-name.herokuapp.com   CNAME (alias) 

sergiotapia

Pentastream::Application.routes.draw do
  get "streams/index"

  get "streams/updateall"

  root :to => 'streams#index'
end

sergiotapia

This is some text.

And *another* text.

    public class Foo
    {
        public string Person { get; set; }
    }

Toodles!

sergiotapia

[
  {
    "Created_Datetime":"2\/16\/2013 2:57:59 AM",
    "Id":1067196,
    "Last_Login_Datetime":"7\/10\/2014 2:36:08 AM",
    "LeagueConquest":{
      "Leaves":0,
      "Losses":0,
      "Name":"Conquest",
      "Points":0,

sergiotapia

[
  {
    "Created_Datetime":"7\/26\/2012 8:21:03 PM",
    "Id":312304,
    "Last_Login_Datetime":"7\/10\/2014 11:48:52 PM",
    "LeagueConquest":{
      "Leaves":2,
      "Losses":151,
      "Name":"Conquest",
      "Points":81,

sergiotapia

Demo

sergiotapia

This advisory concerns a security risk in all supported versions of Active Record. There is no patch to apply for this issue.

Due to the query API that Active Record supports, there is a risk of unsafe query generation in two scenarios. Databases with a table that contains a column with the same name as the table and queries with join aliases which conflict with column names could be vulnerable to an attack where the attacker can perform certain manipulations to the SQL queries generated by Rails.

Determining Vulnerability

A vulnerable application will either contain columns named identically to their table, or have column names which conflict with join aliases.

For example, if you had a model called SecurityToken, which contained an attribute called security_tokens then the following code could be manipulated to return additional records: