On Mon, Jan 14, 2013 at 8:59 AM, Paul <[email protected]> wrote: > I didn't quite understand what you mean by "that fix". Do you mean the > security fix which caused my problem or the patch described by the blog post > I mentioned above which might relieve my problem? > > I've tracked down the line that I'm receiving from the web service that is > causing the problem: > > <myattr type="symbol">myvalue</src>
Read: http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/ > Is my recommended action to change the value returned by the web service to > be a string, then change my client so that it expects a string as a return > value? Yes and use Hash fallbacks AKA Hash.new { } to convert symbol keys that you choose to use yourself (symbols you expect) back to the string keys so you can have indifferent access. > > I'm not sure what is dangerous about interpreting a value as a symbol. Can > you give me an example of what could replace myvalue that would create > havoc? Symbols are the only constant constant in Ruby. Once they are created they are created. Parsing user input into a symbol is dangerous because now all they need do keep sending you data with different values and eventually you get DOS'd because you've exhausted memory from all the symbols they've created for you. In a normal situation most good sysadmins will have stuff that catch the rising memory and kill it and restart it long before that happens or has limits in place that prevent excessive memory and CPU usage (to an extent... meaning good sysadmins always make sure there are enough resources to recover from a disaster and leave the rest to the app) but that's a cat mouse game there and it's hard to figure out who is the cat and who is the mouse, it's better to just reject the symbol serialization flat out and save yourself the trouble. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
