Automatically generated timestamps and attribute assignment in rails 2.3

[Michael Koziarski]

There has been a change to attribute handling in Ruby on Rails
releases after 2.3.0 which may have security implications for some
users.

Previously the automatically set time-stamp related values were not
able to be overridden in user-level code, 2.3.0 and later allow this
to be overridden. Users who rely on these values for security-related
reason may now find their application vulnerable to exploitation via
the mass-assignment features. The attributes in question are:

* updated_at
* updated_on
* created_at
* created_on

Users are advised to mark these attributes as protected if they intend
to use them for security related purposes. The Securing Rails
Application guide has detailed advice on this topic, and you should
probably take this time to review your own applications:

http://guides.rubyonrails.org/security.html#mass-assignment

Thanks to Alex MacCaw for reporting this to us, and working with us to
get this out.

--
Cheers

Koz