There is a vulnerability in the limit() function in Rails 3.0.x. This vulnerability has been assigned the CVE identifier CVE-2011-0448.

Versions Affected:  3.0.0-3.0.3
Not affected:       Releases before 3.0.0
Fixed Versions:     3.0.4

All users running an affected release should either upgrade or use one
of the work arounds immediately.

The 3.0.4 release is available at the normal location.


Users should convert any values provided to the limit() function into
integers explicitly.  For example code which is currently:

 @posts = Post.limit(params[:per_page]).all

Should become:

 @posts = Post.limit(params[:per_page].to_i).all

Given the simplicity of the of workarounds and the low risk of the
upgrade, we will not be backporting this change to earlier releases.

Please note that only the  2.3.x and 3.0.x series are supported at
present.  Users of earlier unsupported releases are advised to upgrade
as soon as possible.


Thanks to Eaden McKee from Webforce Ltd for reporting the bug to us.