Thanks for the explanation. That is useful. My problem now is that it
appears that I can no longer use ActiveResource to consume this web service.
Note that this is a trusted web service: my Rails app is initiating the
request using ActiveResource and I'm using a hardcoded URL that definitely
goes to the trusted site.
I was able to consume the web service with:
doc = `curl "#{created_url_by_hand}"`
doc = doc.gsub("type=\"symbol\"", "")
doc = Hash.from_xml(doc)
There are some differences between the hash I receive that way and the
object that would have been created, so I'm off to debugging land! Sigh.
On Mon, Jan 14, 2013 at 10:36 AM, Jordon Bedwell <[email protected]>wrote:
> On Mon, Jan 14, 2013 at 8:59 AM, Paul <[email protected]> wrote:
> > I didn't quite understand what you mean by "that fix". Do you mean the
> > security fix which caused my problem or the patch described by the blog
> post
> > I mentioned above which might relieve my problem?
> >
> > I've tracked down the line that I'm receiving from the web service that
> is
> > causing the problem:
> >
> > <myattr type="symbol">myvalue</src>
>
> Read:
> http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
>
> > Is my recommended action to change the value returned by the web service
> to
> > be a string, then change my client so that it expects a string as a
> return
> > value?
>
> Yes and use Hash fallbacks AKA Hash.new { } to convert symbol keys
> that you choose to use yourself (symbols you expect) back to the
> string keys so you can have indifferent access.
>
> >
> > I'm not sure what is dangerous about interpreting a value as a symbol.
> Can
> > you give me an example of what could replace myvalue that would create
> > havoc?
>
> Symbols are the only constant constant in Ruby. Once they are created
> they are created. Parsing user input into a symbol is dangerous
> because now all they need do keep sending you data with different
> values and eventually you get DOS'd because you've exhausted memory
> from all the symbols they've created for you.
>
> In a normal situation most good sysadmins will have stuff that catch
> the rising memory and kill it and restart it long before that happens
> or has limits in place that prevent excessive memory and CPU usage (to
> an extent... meaning good sysadmins always make sure there are enough
> resources to recover from a disaster and leave the rest to the app)
> but that's a cat mouse game there and it's hard to figure out who is
> the cat and who is the mouse, it's better to just reject the symbol
> serialization flat out and save yourself the trouble.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit https://groups.google.com/groups/opt_out.
