def run_check
return if uses_rack_escape?
if version_between? '2.0.0', '2.3.14'
message = msg("All Rails 2.x versions do not escape single quotes ", msg_cve("CVE-2012-3464"))
else
message = msg(msg_version(rails_version), " does not escape single quotes ", msg_cve("CVE-2012-3464"), ". Upgrade to ")
case
when version_between?('3.0.0', '3.0.16')
message << msg_version('3.0.17')
when version_between?('3.1.0', '3.1.7')
message << msg_version('3.1.8')
when version_between?('3.2.0', '3.2.7')
message << msg_version('3.2.8')
else
return
end
end
warn :warning_type => "Cross-Site Scripting",
:warning_code => :CVE_2012_3464,
:message => message,
:confidence => :medium,
:gem_info => gemfile_or_environment,
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/kKGNeMrnmiY/discussion"
end