GitHub incidents spawns Rails security debate
GitHub incidents spawns Rails security debate
Posted Mar 27, 2012 13:18 UTC (Tue) by jwakely (subscriber, #60262)In reply to: GitHub incidents spawns Rails security debate by bronson
Parent article: GitHub incidents spawns Rails security debate
The section on mass assignment in the official RoR security guide says "Without any precautions Model.new(params[:model]) allows attackers to set any database column’s value." so simply claiming otherwise doesn't help to clarify anything.
GitHub incidents spawns Rails security debate
Posted Mar 27, 2012 17:31 UTC (Tue)
by bronson (subscriber, #4806)
[Link]
Posted Mar 27, 2012 17:31 UTC (Tue) by bronson (subscriber, #4806) [Link]
I agree with what you said. But that's quite different from this:
> Rails basically gives the whole world read/write access to your database by default, by design.
If that were true, Rails sites would be getting pwned left and right.
I'd guess Model.new(params[:model]) isn't used in many production Rails sites. Not in any of the ones I've worked on anyway.