Skip to content

{ Tag Archives } rails

YAML and Remote Code Execution

YAML’s security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution.
It’s Not Just Ruby
A few weeks ago, I had a need to parse Jasmine’s jasmine.yml in some C# code. I spent some time looking at [...]

Also tagged , , ,

An Excuse Not to Roll Your Own Authentication Scheme

The Rails 3.1 Release Candidate announcement contained news of many new and useful features, plus these regretful words:
has_secure_password: Dead-simple BCrypt-based passwords. Now there’s no excuse not to roll your own authentication scheme.
I will briefly provide an excuse.
"Simple BCrypt-based passwords" is a reasonable feature, but shouldn’t be mistaken for end-to-end authentication, or even a substantial subset [...]

Also tagged , , ,

What ASP.NET MVC Did Learn from Rails

This morning, I saw two different posts from Rails developers who were newly learning ASP.NET MVC, both bemoaning the fact that ASP.NET MVC does not supply/force upon you one particular ORM. The dependency on ActiveRecord is, to my way of thinking, a shortcoming of Rails, which the Rails community is presently doing an exceptional job [...]

Also tagged , ,

Lightweight Frameworks, Again

A couple weeks ago, I wrote a post noting that I liked the lightweight nature of the Ruby web framework Merb. Today comes the news that Merb and Rails will be merging in Rails 3. People who see Merb as the "anti-Rails" seem to find this surprising. But people who see Merb as "Rails done [...]

Also tagged , , , ,

Bad Behavior has blocked 1297 access attempts in the last 7 days.