User: Password:
|
|
Subscribe / Log in / New account

GitHub incidents spawns Rails security debate

GitHub incidents spawns Rails security debate

Posted Mar 26, 2012 20:18 UTC (Mon) by bronson (subscriber, #4806)
In reply to: GitHub incidents spawns Rails security debate by blujay
Parent article: GitHub incidents spawns Rails security debate

Sure.

> So Rails basically gives the whole world read/write access to your database by default, by design?

Absolutely not. And nowhere in the article did it say that.

> Wow, looks like the Rails developers are just among the biggest idiots the universe ever created

Demonstrably false.

> or they are intentionally disseminating malicious software.

Maybe your tinfoil hat needs adjustment?


(Log in to post comments)

GitHub incidents spawns Rails security debate

Posted Mar 27, 2012 13:18 UTC (Tue) by jwakely (guest, #60262) [Link]

The section on mass assignment in the official RoR security guide says "Without any precautions Model.new(params[:model]) allows attackers to set any database column’s value." so simply claiming otherwise doesn't help to clarify anything.

GitHub incidents spawns Rails security debate

Posted Mar 27, 2012 17:31 UTC (Tue) by bronson (subscriber, #4806) [Link]

I agree with what you said. But that's quite different from this:

> Rails basically gives the whole world read/write access to your database by default, by design.

If that were true, Rails sites would be getting pwned left and right.

I'd guess Model.new(params[:model]) isn't used in many production Rails sites. Not in any of the ones I've worked on anyway.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds