There is a vulnerability in the limit() function in Rails 3.0.x. This vulnerability has been assigned the CVE identifier CVE-2011-0448.
Versions Affected: 3.0.0-3.0.3 Not affected: Releases before 3.0.0 Fixed Versions: 3.0.4 Impact ------ All users running an affected release should either upgrade or use one of the work arounds immediately. Releases -------- The 3.0.4 release is available at the normal location. Workarounds ----------- Users should convert any values provided to the limit() function into integers explicitly. For example code which is currently: @posts = Post.limit(params[:per_page]).all Should become: @posts = Post.limit(params[:per_page].to_i).all Patches ------- Given the simplicity of the of workarounds and the low risk of the upgrade, we will not be backporting this change to earlier releases. Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible. Credits ------- Thanks to Eaden McKee from Webforce Ltd for reporting the bug to us.