Skip to content

{ Category Archives } Ruby

YAML and Remote Code Execution

YAML’s security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution.
It’s Not Just Ruby
A few weeks ago, I had a need to parse Jasmine’s jasmine.yml in some C# code. I spent some time looking at [...]

Tagged , , , ,

An Excuse Not to Roll Your Own Authentication Scheme

The Rails 3.1 Release Candidate announcement contained news of many new and useful features, plus these regretful words:
has_secure_password: Dead-simple BCrypt-based passwords. Now there’s no excuse not to roll your own authentication scheme.
I will briefly provide an excuse.
"Simple BCrypt-based passwords" is a reasonable feature, but shouldn’t be mistaken for end-to-end authentication, or even a substantial subset [...]

Tagged , , , ,

Book Review: Rework

Rework, by Jason Fried and David Heinemeier Hansson, cannot accurately be described as the "sequel" to the first book to come out of 37 Signals, Getting Real. As a significant percentage of the book seems to be word for word identical to text in Getting Real, I think it’s more of a "remix." Getting Real [...]

Tagged , , , , ,

Lightweight Frameworks, Again

A couple weeks ago, I wrote a post noting that I liked the lightweight nature of the Ruby web framework Merb. Today comes the news that Merb and Rails will be merging in Rails 3. People who see Merb as the "anti-Rails" seem to find this surprising. But people who see Merb as "Rails done [...]

Tagged , , , , ,

Lightweight Frameworks

Big frameworks with strong coupling are prisons. Once you go into them, you’re stuck, and it can be incredibly difficult to get out.

Tagged , , , ,

ASP.NET MVC Membership

One of my disappointments with Ruby on Rails is that it provides no support whatsoever for site logins/membership, which I consider to be a fundamental part of many database-driven websites. Of course, the Rails community has responded — and responded, and responded, and responded — to this need. The Rails wiki notes that there [...]

Tagged ,

Garbage Collection and Functional Programming

This post is going to be short and sweet, because the point is very simple: If you use a functional programming language (and, if you want to learn to think outside of the Delphi box, you should), then you will be using garbage collection.

Tagged ,

Bad Behavior has blocked 979 access attempts in the last 7 days.