Thanks Fred. Two more questions:
Frederick Cheung wrote:
> Normal js files are just served as-is (and if you have set things up
> right never even touch rails at all (ie they are server directly by
> nginx or apache)).
>
> if you have an action that renders a .js.erb template you'll get what
> you want.
Yes, I ran across some references to ".js.erb" files; unfortunately I
have not found much of an explanation of them. I have a couple of books
from the library ("The Art of Rails", IMO at best mediocre, and "Ajax on
Rails" which seems great).
I even grepped through the API for "\.js\.erb" and it's not in there
even once...perhaps the suffix recently changed? Anyway, any pointers
to reading material here would be much appreciated.
> I have a sneaking suspicion that would allow an attacker to read any
> file on your hard disk (by passing the absolute path to the file as
> params[:part])
I just tried that; it might work if the filename has a _ for a prefix,
but I doubt that since the server error also refers to the "views path
app/views".
I am just working at home while learning anyway. I was surprised when I
noticed I get unrestricted access to the filesystem by default; I
presume WEBrick was not intended for security. I would assume that
if/when I put something up on a real server, they will not be permitting
that possibility if it can be prevented? Otherwise I'm surprised anyone
hosts Rails at all...but further thoughts from anyone would be welcome.
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
