Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's poor design in Rails, but not a security hole as such. The security hole was on GitHub's side.


I'm no Rails expert, but I tend to like the OpenBSD philosophy: if you ship with default options that are known to be insecure, you have a security bug.

I know security is always a trade-off, but when your largest and most famous testimonials, with all their mad skillz and street cred, still manage to get it so spectacularly wrong, it's clear that the core engine is as guilty as any other component.


I like the part where the Rails developer says:

The user has a flag to secure by default, I personally think that is enough. https://github.com/rails/rails/issues/5228#issuecomment-4300...

In other words, Rails actually does have a flag to make the mass assignment feature secure by default. But this flag defaults to 'false'.

https://github.com/rails/rails/pull/4062/files#diff-1


That's what PHP programmers were saying for years regarding magic_quotes (which didn't actually make things less secure). That this is apparently the default behaviour of Rails... yeah, it's a security issue.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: