From 35a0521c3c2e8cea397accb648f15f7e8b3cf8a8 Mon Sep 17 00:00:00 2001 From: Abe Voelker Date: Fri, 9 Mar 2012 15:15:01 -0600 Subject: [PATCH] Fix 'Security#Mass Assignment' URL typo --- railties/guides/source/security.textile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index b1a09c0c05..747a4d6791 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -374,7 +374,7 @@ end Mass-assignment saves you much work, because you don't have to set each value individually. Simply pass a hash to the +new+ method, or +assign_attributes=+ a hash value, to set the model's attributes to the values in the hash. The problem is that it is often used in conjunction with the parameters (params) hash available in the controller, which may be manipulated by an attacker. He may do so by changing the URL like this:
-"name":http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
+http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
 
This will set the following parameters in the controller: