This fucking Russian kid issued a security ticket to Rails developers and they basically told him it's the users responsibility to protect themselves against the venerability. He responded by demonstrated that even Github--the second largest Rails application next to Twitter--wasn't protected. Funny as hell.
Rails and Github confirmed for shit software by shit developers.
Swoony3 commented on b839657 13 hours ago Have you read your SICP today?
Name:
Anonymous2012-03-05 3:18
Ruby is a badly designed hyped shit. The real Ruby's name must be "Puby", because every shitty language should have 'P' in the beginning of it's name, like there is "gold-" prefix to every true jewish surname.
Man I had to deal with some PHP code by a dumbass who was using extract() on all the $_POST and $_GET data for forms so he could reference the fields like $name and shit. Can't believe he got paid for it and is probably still doing it.
Vulnerability in PHP: Fix it and break something else that nobody should be using anyway, as in the whole the language.
Vulnerability in Rails: claim it to be an elegant and opinionated feature, 2deep4u.
>>10
Unless you make an elegant and opinionated CL web framework that just evals untrusted input. You can help CL rise to be the most popular web language using that
What bugs me most about all this is that someone found a serious vulnerability in a popular piece of software and abused it on one of the most popular programming websites. How does the greater GitHub community respond? By posting fucking image macros.
>>13
Image macros and circle jerking. When that guy said that they fixed the issue they were like ``oh @holman, our heeeeeerooooo''. Then one guy asked if they pushed their bugfix to Rails, as if they actually fixed the real issue. What really probably happened is they fucking panicked, ask the Rails devs what the fucking was going on and got their hands held through the process of securing their shit like that should have done 2-3 years ago. How do you have a company of 60 employees and not a single one has read the fucking documentation?
Name:
Anonymous2012-03-05 7:59
The russian isn't a kid, he is smart.
Github fixed it after too
If anybody wants to know exactly what he did, it was nothing sophisticated at all. All he had to do was create an HTML form fields with WebInspector (lol, Safari) and submit. He got access to RoR's repo just by going to the control panel where you submit a public key and change the user ID to point to Rails. You could edit and delete anybody's post just by changing the ID of one of your own posts. There were no permission checks at all. Him and his friend have confirmed that several high profile Rails apps are open to these junior-skiddie-level attacks.
Ultimately, however, the Rails devs were right to a degree. It's the user's responsibility to secure their shit and framework devs shouldn't necessarily have to restrict everything by default. The interesting thing is Rails seems to be the exception because their market seems to consist almost exclusively to completefuckingidiots with shitloads of venture capital.
Because GitHub is so high profile in the Ruby community and none of the fanboys are going to call them out for being nothing more than shitty brogrammers, Rails has no choice but to take responsibility and fix the ``bug''. It must be really embarrassing for the real hackers on the team, if there are any.
>>16
I cannot believe that there were no security checks after submitting the forms. Seriously, what the FUCK. And it took so bloody long for people to realize (I don't use Github; wont ever be now afterseeing this bullshit). Now I should make a hobby of going to RoR sites and bombing the fuck outta their forms to see what interesting behaviour occurs...
Name:
Anonymous2012-03-05 14:45
Why critics of Rails have it all wrong (and Ruby's bright multicore future)