| |||||||||||||
GitHub incidents spawns Rails security debateGitHub incidents spawns Rails security debatePosted Mar 16, 2012 16:23 UTC (Fri) by bronson (subscriber, #4806)In reply to: GitHub incidents spawns Rails security debate by slashdot Parent article: GitHub incidents spawns Rails security debate
Nope. Did you read the article?
(Log in to post comments)
GitHub incidents spawns Rails security debate Posted Mar 19, 2012 14:05 UTC (Mon) by blujay (guest, #39961) [Link]
Forgive me, not knowing much about Ruby or Rails, but I thought this was exactly the problem. Could you please clarify?
GitHub incidents spawns Rails security debate Posted Mar 26, 2012 20:18 UTC (Mon) by bronson (subscriber, #4806) [Link]
Sure.
> So Rails basically gives the whole world read/write access to your database by default, by design?
Absolutely not. And nowhere in the article did it say that.
> Wow, looks like the Rails developers are just among the biggest idiots the universe ever created
Demonstrably false.
> or they are intentionally disseminating malicious software.
Maybe your tinfoil hat needs adjustment?
GitHub incidents spawns Rails security debate Posted Mar 27, 2012 13:18 UTC (Tue) by jwakely (subscriber, #60262) [Link]
The section on mass assignment in the official RoR security guide says "Without any precautions Model.new(params[:model]) allows attackers to set any database column’s value." so simply claiming otherwise doesn't help to clarify anything.
GitHub incidents spawns Rails security debate Posted Mar 27, 2012 17:31 UTC (Tue) by bronson (subscriber, #4806) [Link]
I agree with what you said. But that's quite different from this:
> Rails basically gives the whole world read/write access to your database by default, by design.
If that were true, Rails sites would be getting pwned left and right.
I'd guess Model.new(params[:model]) isn't used in many production Rails sites. Not in any of the ones I've worked on anyway.
|
|||||||||||||