Upgrading From Rails < 2.0.1 - Security Notice
Tuesday, September 8th, 2009So when you’re upgrading your ghetto rails app that hasn’t been touched in a couple of years to the new hottness, make sure you check your filters.
Previously, in Rails < 2.0.1 if you returned false in a before filter, it would stop the processing of the action. In Rails >= 2.0.1, before_filters _must_ now redirect or render in order to halt the calling of the controller action.
This can be a large security issue if you are returning false in an authorize component. Make sure to update them to redirect or render a 403.
In our case, we also created a “errors” directory in our views directory to hold our 403.erb view which we now call where we used to return false only.
Previously:
return false
Now:
render ‘errors/403′, :status => 403 and return false
