Previously the automatically set time-stamp related values were not
able to be overridden in user-level code, 2.3.0 and later allow this
to be overridden. Users who rely on these values for security-related
reason may now find their application vulnerable to exploitation via
the mass-assignment features. The attributes in question are:
* updated_at
* updated_on
* created_at
* created_on
Users are advised to mark these attributes as protected if they intend
to use them for security related purposes. The Securing Rails
Application guide has detailed advice on this topic, and you should
probably take this time to review your own applications:
http://guides.rubyonrails.org/security.html#mass-assignment
Thanks to Alex MacCaw for reporting this to us, and working with us to
get this out.
--
Cheers
Koz