If you get requests with values for formats like this:
{:locale=>[:de], :formats=>["../../../../../../../../../../etc/services{{"], :variants=>[], :handlers=>[:erb, :builder, :raw, :ruby, :coffee, :haml]}
or fails like this:
Invalid query parameters: invalid %-encoding (../../../../../../../../../etc/passwd%%0000.html)
Someone tries to exploit
CVE-2019-5418
Show archive.org snapshot
.
If you use the latest Rails (or latest Rails LTS) you're safe. The exact versions that fix this issue are: Rails 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1, Rails LTS 3.2.22.13 and Rails LTS 2.3.18.24.
Posted by Judith Roth to makandra dev (2019-05-29 07:25)