We’ve just patched the edge code to address a potential security hole. The vulnerability also affects prior versions of Spree including the latest 0.9.4 release. The upcoming 1.0.0 release will contain the fix. We will not be issuing a patch release but you can easily address the problem by patching the
LocaleController in your site extension as follows:
<p>class LocaleController < ApplicationController</p> def set if params[:locale] && AVAILABLE_LOCALES.include?(params[:locale]) I18n.locale = params[:locale] session[:locale] = params[:locale] flash[:notice] = t(“locale_changed”) else flash[:error] = t(“locale_not_changed”) end redirect_back_or_default(root_path) end <p>end</p>
Special thanks to Alexander Kozliakov for reporting the bug and providing a fix. Please continue to report any suspected security issues to email@example.com.