We’ve just patched the edge code to address a potential security hole. The vulnerability also affects prior versions of Spree including the latest 0.9.4 release. The upcoming 1.0.0 release will contain the fix. We will not be issuing a patch release but you can easily address the problem by patching the LocaleController in your site extension as follows:
class LocaleController < ApplicationController
def set
if params[:locale] && AVAILABLE_LOCALES.include?(params[:locale])
I18n.locale = params[:locale]
session[:locale] = params[:locale]
flash[:notice] = t("locale_changed")
else
flash[:error] = t("locale_not_changed")
end
redirect_back_or_default(root_path)
end
end
Special thanks to Alexander Kozliakov for reporting the bug and providing a fix. Please continue to report any suspected security issues to security@railsdog.com.