Why Rails and Github are shit.

https://github.com/rails/rails/issues/5228
https://github.com/rails/rails/issues/5239
https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57

This fucking Russian kid issued a security ticket to Rails developers and they basically told him it's the users responsibility to protect themselves against the venerability. He responded by demonstrated that even Github--the second largest Rails application next to Twitter--wasn't protected. Funny as hell.

Rails and Github confirmed for shit software by shit developers.

If anybody wants to know exactly what he did, it was nothing sophisticated at all. All he had to do was create an HTML form fields with WebInspector (lol, Safari) and submit. He got access to RoR's repo just by going to the control panel where you submit a public key and change the user ID to point to Rails. You could edit and delete anybody's post just by changing the ID of one of your own posts. There were no permission checks at all. Him and his friend have confirmed that several high profile Rails apps are open to these junior-skiddie-level attacks.

Ultimately, however, the Rails devs were right to a degree. It's the user's responsibility to secure their shit and framework devs shouldn't necessarily have to restrict everything by default. The interesting thing is Rails seems to be the exception because their market seems to consist almost exclusively to complete fucking idiots with shitloads of venture capital.

Because GitHub is so high profile in the Ruby community and none of the fanboys are going to call them out for being nothing more than shitty brogrammers, Rails has no choice but to take responsibility and fix the ``bug''. It must be really embarrassing for the real hackers on the team, if there are any.