It's not Ruby's fault that an early design decision in Rails lead to a security vulnerability. Any language where user input can be interpreted in some fashion runs into this kind of issue. This was a complex chain of things working correctly that lead to a undesirable unanticipated situation. There is every chance a strongly typed language could have a similar vulnerability.
The Ruby ecosystem and community meant this was fixed quickly, and urgently, and I think you'd be silly to think that the Rails core team isn't taking this seriously, the amount of new vulnerabilities currently coming to light is due to a large amount of volunteer scrutiny focused on a new attack vector that wasn't really considered before. > The idea that a database has typing and your throw it away - leading to > things like SQL injection. Everything as a string is a problem I think. Every language is capable of SQL injection when dealing with user input. An SQL statement is a string and generally browser input starts as a string. Typed languages are no more immune to mistakes in parsing than dynamic ones, in fact if your relying on casting the string input into your types for validation, then you've possibly just opened up the door for the exact vulnerability which Rails has just shut. It was the magic casting of user input that lead to this vulnerability, not YAML. Just my two pence anyway ;) Jon Rowe ----------------------------- [email protected] jonrowe.co.uk On Saturday, 9 February 2013 at 00:18, Tim Uckun wrote: > > > > But I think he's right that it only adds to existing criticisms (that we're > > cavalier, and value glitz over rigour). > > > I would like to see the rails team make a commitment to concentrate on > security, performance and memory consumption for rails 4.X series of > upgrades. No new features, no new anything. Just make the existing > features more secure, and performant. It would be a courageous stance > to take and would send the right message. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby or Rails Oceania" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > (mailto:[email protected]). > To post to this group, send email to [email protected] > (mailto:[email protected]). > Visit this group at http://groups.google.com/group/rails-oceania?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rails-oceania?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
