Acts_as_taggable sql injection vulnerability

Hey everyone!

If you’re using acts_as_taggable <= 1.04, (erm, any version, I
think…) please fix your local copy right now! There are numerous sql
sanitization holes in this library.

I notified Obie of this over a month ago, so hopefully he’s fixed it.

How to tell lif you’re vulnerable

Make a tag with a single quote in it. See if raises an error.
Now, go delete your entire database.

How to fix

add/change the last line of split_tag_names

tag_names = { |name|
ActiveRecord::Base.connection.quote_string( }

– Remember to restart your app.

court3nay :: we like big fonts and yellow highlighting :: personal codelog :: just like all the cool kids

" :: we like big fonts and yellow highlighting "

Ha! This killed me…