Apparently some people don't like Rails and love to see an obscure bug that requires the secret session key, therefore they think their cherished and strongly held dislike will finally bask in smug glory.
Edit: I shouldn't have been so harsh since the author is a security researcher and is probably not doing it out of some grudge. But even from a security researcher, saying he has doubts about a software doesn't make something insecure.
If he can prove his statement that he thinks regular user input is insecure (without requiring the secret session key), then I will happily be convinced of his prowess in finding exploits.
I can confirm that @charliesome has found a loop-hole in Rails' parameters processing that makes it possible to do some really nasty stuff. I also know that other have discovered the same bug independently. I don't think anything has leaked to the public yet.
Based on Charlie's PoC I managed to sneak a SQL-injection into some really basic ActiveRecord queries. It's not entirely obvious how to accomplish this, but it wouldn't surprise me if other people who discovered the same bug will find similar exploits.
This has been reported to Rails' security team and I expect patches to be released pretty soon.
For now I don't have an easy-to-apply workaround that doesn't disclose the gist of the exploit.
I'm a full time rails developer and member of the "ruby community" and have nothing against rails. I am also strongly inclined to take tptacek at his word when he speaks on issues of security, even if he's light on the details. It's quite literally free consulting.
EDIT in response to upsteam edit: He did imply that you should wait for the upcoming Rails advisory, so you'll get your proof then.
Edit: I shouldn't have been so harsh since the author is a security researcher and is probably not doing it out of some grudge. But even from a security researcher, saying he has doubts about a software doesn't make something insecure.
If he can prove his statement that he thinks regular user input is insecure (without requiring the secret session key), then I will happily be convinced of his prowess in finding exploits.