MultiXml gem has same vulnerability as Rails' CVE-2013-0156 – patch now

Hmm, I'm not sure you could say it has "the same vulnerability".<p>It has the same vulnerability if you pass untrusted input to it, okay.<p>But the point of the Rails vulnerabilty is that every Rails app, by default, was set up to accept external user input and run it through an XML parser. Even if you didn't realize it.<p>If you are using MultiXml, you may or may not be passing untrusted user input to it, depends on what you did with it.<p>Right?

Yo dawgs, the mailchimp, aws-sdk, jenkins and twilio gems use HTTParty which uses multi_xml. You should look into this.

I strongly recommend loading something like this in your Ruby applications: <a href="https://gist.github.com/4507129" rel="nofollow">https://gist.github.com/4507129</a><p>It will prevent YAML.rb from instantiating arbitrary objects, which will close off this entire class of problems.<p>Obviously, if you <i>do</i> use YAML as a serialization format for arbitrary objects, this won't work, but odds are you aren't doing that.

Grape is also affected:<p><a href="https://groups.google.com/forum/?fromgroups=#!topic/ruby-grape/qX38Iy1Bwo8" rel="nofollow">https://groups.google.com/forum/?fromgroups=#!topic/ruby-gra...</a>

A version of multi_xml with this fix has been pushed:<p><a href="https://rubygems.org/gems/multi_xml/versions/0.5.2" rel="nofollow">https://rubygems.org/gems/multi_xml/versions/0.5.2</a>

I'm keeping track of a list of vulnerable gems here: <a href="https://gist.github.com/4532291" rel="nofollow">https://gist.github.com/4532291</a>