i liked nick kallens idea on making it a "framework thing" https://twitter.com/#!/nk/status/176466894876966912 https://twitter.com/#!/nk/status/176467242735775744
On Mar 5, 2012, at 5:40 PM, Chris McCann wrote: > A developer used the Rails mass assignment vulnerability to basically > give himself push access to any Github repo. He claims he made Github > aware of the problem before taking action to highlight it. > > Here's an article about it: > > http://www.h-online.com/open/news/item/GitHub-security-incident-highlights-Ruby-on-Rails-problem-1463207.html > > The take-away: make sure you're not leaving your Rails apps open to > exploit this way. Be sure to use attribute white-lists or black-lists > to protect assignment that could give users elevated privileges or > access to other users' stuff. > > See the Rails Security Guide > http://guides.rubyonrails.org/security.html#mass-assignment. > > Cheers, > > Chris > > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
