Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

Why Rails and Github are shit.

Name: Anonymous 2012-03-05 2:46

https://github.com/rails/rails/issues/5228
https://github.com/rails/rails/issues/5239
https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57

This fucking Russian kid issued a security ticket to Rails developers and they basically told him it's the users responsibility to protect themselves against the venerability. He responded by demonstrated that even Github--the second largest Rails application next to Twitter--wasn't protected. Funny as hell.

Rails and Github confirmed for shit software by shit developers.

Name: Anonymous 2012-03-05 8:38

If anybody wants to know exactly what he did, it was nothing sophisticated at all. All he had to do was create an HTML form fields with WebInspector (lol, Safari) and submit. He got access to RoR's repo just by going to the control panel where you submit a public key and change the user ID to point to Rails. You could edit and delete anybody's post just by changing the ID of one of your own posts. There were no permission checks at all. Him and his friend have confirmed that several high profile Rails apps are open to these junior-skiddie-level attacks.

Ultimately, however, the Rails devs were right to a degree. It's the user's responsibility to secure their shit and framework devs shouldn't necessarily have to restrict everything by default. The interesting thing is Rails seems to be the exception because their market seems to consist almost exclusively to complete fucking idiots with shitloads of venture capital.

Because GitHub is so high profile in the Ruby community and none of the fanboys are going to call them out for being nothing more than shitty brogrammers, Rails has no choice but to take responsibility and fix the ``bug''. It must be really embarrassing for the real hackers on the team, if there are any.

Name: Anonymous 2012-03-05 11:10

Ruby on Fails. That being said, >>16-san, exploiting a vulnerability rarely takes much skill (see script kiddy toolkits). Finding them does.

Name: Anonymous 2012-03-05 11:18

this reminds me php+sqlinjections like 10 years ago

Name: Anonymous 2012-03-05 13:29

>>16
I cannot believe that there were no security checks after submitting the forms. Seriously, what the FUCK. And it took so bloody long for people to realize (I don't use Github; wont ever be now afterseeing this bullshit). Now I should make a hobby of going to RoR sites and bombing the fuck outta their forms to see what interesting behaviour occurs...

Name: Anonymous 2012-03-05 14:45

Why critics of Rails have it all wrong (and Ruby's bright multicore future)

http://www.unlimitednovelty.com/2012/03/why-critics-of-rails-have-it-all-wrong.html

Suck it bitches

Name: Anonymous 2012-03-05 15:42

Why critics of Rails have it all wrong
Sucking on Dicks vs node.js article

Right

Name: Anonymous 2012-03-05 16:15

Chubbles

Name: Anonymous 2012-03-05 17:42

It's like register_globals all over again

Name: Anonymous 2013-01-20 19:37

le rails bump XD

Name: Anonymous 2013-01-20 20:49

Ruby isn't really a problem. RoR is.

Name: Anonymous 2013-01-20 21:42

>>25
The title makes no mention of Ruby.
Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -