Ruby on Rails disclosed a bug submitted by thorsteneckel: https://hackerone.com/reports/1327196 [Source]