GitHub uses the Ruby on Rails application framework, and Rails has
been weak to what’s known as a mass-assignment vulnerability for years
--
a
Andy Bach,
afb...@gmail.com
608 658-1890 cell
608 261-5738 wk
But seriously, this was a Github bug, not a Rails 'vulnerability'.
Rails offers mass assignment as a *feature*, which can be used (or
abused) at the developer's discretion.
Egor got impatient with rails-core folk not agreeing with his POV that
this feature should safer by default (by requiring the developer to
affirmatively whitelist attributes to be mass assigned) and decided to
get creative.
Egor was absolutely, positively wrong to do what he did, and Github
was right to treat him in the immediate aftermath of his
'demonstration' as a threat. However, it was quickly clear that Egor
meant no harm and so he was reinstated (once his improper privileges
were removed). The speed and effectiveness of Github's response was
absolutely extraordinary in my opinion, and greatly increased the
already considerable amount of respect I have for them.
I also think Egor was also basically *right* that the default is too
insecure, so... point made! A 'fix' to the defaults was merged into
Rails by Sunday afternoon. Doesn't justify the means, though--I mean,
that's ethics 101, right?
I just wanted to clear that up because there was a *lot* of FUD
floating around (that article you linked to is OK though). I think
the way Github and the Rails community responded is exactly why Github
is such a great company and Rails is such a strong framework.
Cheers,
Jonathan
--
Jonathan Broad
VP of Application Development
Getty Images, Inc.
> --
> You received this message because you are subscribed to the Google Groups "Mad Railers, the Madison, WI Ruby on Rails Users Group" group.
> To visit the Madison Rails Home page, go to http://madisonrails.com/
> To post to this group, send email to Mad-R...@googlegroups.com
> To unsubscribe from this group, send email to Mad-Railers...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/Mad-Railers?hl=en
Best,
Rob
It was interesting to go to the commit and then read the comments
thread - interesting place, that github (the fellow who did the hack
has the Octocat as a tatoo? Or did I miss the sarcasm font?).
As the situation has been talked about since '08 ... there's enough
oops to go around.