The past two weeks have been abuzz with security patches for Rails. Yesterday’s in particular is quite serious, and if you haven’t upgraded yet, you really should.
This morning, we noticed an issue with a few of our applications that are still running Rails v3.0.x. There is currently a bug for security-patched Rails v3.0 applications serving XML data to ActiveResource consumers (think of a typical Rails XML API).
Now if the latest version of ActiveResource requests XML data from a Rails v3.0 server, they may raise an odd error
Hash::DisallowedType: Disallowed type attribute: "yaml"
We have just had a pull request merged into Rails that will fix this issue in v3.0.20 and should be released soon. Until then, if you need to apply this immediately you can have Bundler use this code directly from GitHub:
# In your Gemfile gem "rails", :git => 'https://github.com/rails/rails.git', :branch => '3-0-stable'