Posted by Bryan Larsen on 2013-01-02
A SQL injection vulnerability has been found in ActiveRecord that impacts all versions of Rails:
I have released Hobo 1.3.3 that patches Hobo’s vulnerability to this issue.
if you are using Hobo 2.0 it is recommended that you upgrade to Rails 3.2.10, although I have also pushed the security patch to github master.
The Hobo fix only impacts Hobo’s usage. If you use find_by_ in your
own code, you must fix those up yourself by coercing the input
find_by_foo(params[:foo].to_s1) for example) or by upgrading to a
version of Rails without the vulnerability.