Closing CVE-2014-0130 in unsupported versions of Rails
A post to the Ruby on Rails security list yesterday revealed a pretty serious vulnerability in ActionController's handling of implicit controller actions. (You know, when a controller doesn't have a certain method defined but it's successfully called anyway because you have a template with the right name.)
Fixes have been posted for Rails 3.2, 4.0, and 4.1. However, some apps haven't been upgraded yet, and no patches are available for those older versions of Rails.
We developed a fix for a Rails 3.1 app that completely disables implicit controller actions. Since I'm not a fan of them anyway, losing this feature kind of feels like a win to me. It's a simple monkeypatch that removes the guts of a method in ActionController::ImplicitRender.
This should also work in Rails 3.0, and in Rails 4.x if you'd like to disable this feature in your app.