Got a Rails App Accepting XML Input? You've Got A Fix To Do – Now.
The official Ruby blog announces that REXML, an XML library that comes with Ruby and is heavily used by many Ruby apps (including RAils), is vulnerable to a specific type of attack that could result in a denial of service. Core Rails developer, Michael "Koz" Koziarski has posted instructions on how to work around it.
If you're running Rails 2.1.0 or later, it's very simple. Just run:
gem install rexml-expansion-fix
And then add this to your app's environment.rb file:
For users of lower versions of Rails, refer to Koz's post for further information. Bear in mind that even if you don't use Rails' XML processing features, they will most likely be automatically employed by your app when it receives XML data, so get on top of this right away.