The issue

Yesterday, Rails fixed a security issue (CVE-2014-3514) Show archive.org snapshot in Rails 4+. It was possible to use .where or .create_with to bypass Rails' Strong Parameters Show archive.org snapshot :

user.blog_posts.create_with(params[:blog_post]).create

UI/UX Design by

We make sure that your target audience has the best possible experience with your digital product. You get:

• Design tailored to your audience
• Proven processes customized to your needs
• An expert team of experienced designers

Read more Show archive.org snapshot

would set all attributes on the blog post. After the fix, you have to properly whitelist the params, via params[:blog_post].permit(:title, :body).

If you did not even know .create_with existed, have a look at the API Show archive.org snapshot .

How this applies to Rails 3

In Rails 3, Strong Parameters did not exist, yet. Instead, you used mass assignment protection via attr_accessible / attr_protected.

But for .create_with, and .where, mass assignment protection has no effect. The code as above can set protected attributes.

Unfortunately, there is no good fix for this, since you do not always want mass assignment protection to apply. Consider this:

BlogPost.create_with(:user_id => current_user.id).create(params[:blog_post])

Here you clearly want the user_id to be set, even if it is protected. It would be more dangerous not to set it.

Rails 4 can be more clever, due to how Strong Parameters Show archive.org snapshot work, as it can easily distinguish between user input and internal code. Rails 3 cannot, and so won't protect you from this.