Best line from the article:
The patch location is easily discovered with the elite hacking tool diff -r…
It appears as though a bug in the validation logic makes it possible to execute arbitrary Ruby code if you also have the ability to put the code file on the server in a location you can predict.
This is certainly a serious flaw, but it is beyond me why the Ruby on Rails team attempted their “just trust us and upgrade” approach to handling this situation rather than releasing specifics about the bug and the fix. That way Ruby on Rails site administrators could make informed decisions about upgrading.
When Microsoft releases their patches folks decompile them and reverse engineer where changes have been made so they can determine what flaws have been fixed. Did the Ruby on Rails core team think that a high profile project like theirs that is delivered in source form – not binary – would be spared that kind of scrutiny? Elite hacking tool diff -r…
dan _at_ denimgroup.com