LWN: Comments on "Two new (one "critical") Ruby on Rails vulnerabilities"

ETOOMANY0DAYS

meuh — Fri, 18 Jan 2013 14:18:42 +0000

Hopefully there's JRuby on Rails ... hopping that two 0days cancel each other ...

https://github.com/jruby/jruby/wiki/JRubyOnRails

Two new (one "critical") Ruby on Rails vulnerabilities

jake — Thu, 10 Jan 2013 16:07:08 +0000

> Why the scare quotes around "critical?"

they weren't meant as scare quotes, just regular quotes. sorry for the confusion.

jake

Two new (one "critical") Ruby on Rails vulnerabilities

quad — Thu, 10 Jan 2013 14:28:08 +0000

Why the scare quotes around "critical?"

Two new (one "critical") Ruby on Rails vulnerabilities

ovitters — Thu, 10 Jan 2013 10:32:14 +0000

Dutch government requires DigiD if a citizen wants to login to a government website (any). DigiD apparently uses Ruby on Rails, so they took the entire DigiD offline. As a result, you could not login anymore. Meaning: you could not handle anything government related issue electronically. Whoops :P

One of the various Dutch articles about this:
http://nos.nl/artikel/459883-digid-onbereikbaar-na-lek.html

Two new (one "critical") Ruby on Rails vulnerabilities

bronson — Thu, 10 Jan 2013 02:36:58 +0000

It appears that Rails's desire to accept any input and the assumption "user input can never be a symbol" are in ongoing conflict.

Likely both are wrong. Nobody accepts parameters as XML or YAML so why do these code paths exist at all?

I really hope they clean up the root problem in Rails 4. All this patching is getting tiresome.

Two new (one "critical") Ruby on Rails vulnerabilities

dakas — Wed, 09 Jan 2013 14:19:58 +0000

Ruby on Rails continues keeping the xkcd comic "Exploits of a mom" topical.