I was concerned when I saw the title of the message, but I think the solution is as simple as just informing people to be sure that any README for Rails apps they share on GitHub (or wherever they have that token exposed), that the user of the application should change that token to a sufficiently random token, and that they should follow the security guide at http://guides.rubyonrails.org/security.html as well as keeping up with everything they can as it relates to security.
In the current release version of Rails (3.2.9), the file that Rails generates resides in: config/initializers/secret_token.rb Unfortunately, it looks like the guide in 3.2.9 and master still refer to setting that value in environment.rb, even though it is set via config/initializers/secret_token.rb: https://github.com/rails/rails/blob/master/guides/source/security.md http://guides.rubyonrails.org/security.html However, the "configuring" section in 3.2.9 and master were updated to indicate that config/initializers/secret_token.rb is the place where that is stored and that it is randomly generated, per: "Applications get config.secret_key_base initialized to a random key in config/initializers/secret_token.rb." https://github.com/rails/rails/blob/master/guides/source/configuring.md http://guides.rubyonrails.org/configuring.html It may be good to add in the guide that puppet, chef, capistrano, or whatever you use to deploy/setup could be used to copy an environment-specific version of that file and to guard it and config/database.yml with your life, if security is a concern, which it usually is. Thanks for bringing this up, because it is a good idea to mention it for those sharing apps, and because it should probably be clearer in the Rails guide. Unless someone else is messing with the guide, I could update security page to note the secret_token.rb file vs. use of environment.rb and to note that for a greater (suggested) level of security, database.yml and secret_token.rb should be copied during deploy and be specific for that environment. I don't think that is overly opinionated as a basic level of security, is it? On Friday, December 21, 2012 12:47:09 PM UTC-5, Al wrote: > > > http://www.reddit.com/r/netsec/comments/158g8s/hijacking_ruby_on_rails_apps_through_exposed/ > > > FYI > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/e4uIW2tm8TwJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
