The new release of Clearance works around the latest Rails SQL injection. Upgrade to Clearance 0.16.3 for the security fix.
gem 'clearance', '~> 0.16.3'
In Clearance we generate a
confirmation_token when you
forget your password, and clear it when you successfully reset your
password. In the controller we find the user like this:
@user = User.find_by_id_and_confirmation_token(params[:user_id], params[:token])
This approximately translates to this ARel query:
User.where(:id => params[:user_id], :confirmation_token => params[:token])
Normally this generates perfectly safe SQL:
SELECT users.* FROM users WHERE users.id = 1 AND users.confirmation_token = 'hello' LIMIT 1
params[:token] is a list with one
element, the generated SQL is closer to this:
SELECT users.* FROM users WHERE users.id = 1 AND users.confirmation_token IS NULL LIMIT 1
That is, if you can get
params[:token] to produce
[nil] then you can become any user without a
Prior to Rails 3.2.5, this URL would generate
We catch this in Clearance now.
Upgrade to Clearance 0.16.3. If you are using Rails 3.2.5 or above then you do not need to upgrade Clearance to get this fix.
Thank you to Ben Murphy for bringing this to our attention in a professional manner, and to the Rails team for fixing it quickly.