Close
Glad You're Ready. Let's Get Started!

Let us know how we can contact you.

Thank you!

We'll respond shortly.

PIVOTAL LABS
Standup 2/9/2011: Beware Rails vulnerabilities

Interesting Things

Report from Josh Susser:

There have been several vulnerabilities in Rails reported recently. You can check out the announcements on the google group:

Vulnerability in the Mail gem affecting Rails 3.0.x applications

CSRF Protection Bypass in Ruby on Rails

Potential SQL Injection in Rails 3.0.x

Filter Problems on Case-Insensitive Filesystems

Potential XSS Problem with mail_to :encode => :javascript

The fixes are generally to upgrade to 3.0.4 or 2.3.11. There are patches for many versions if you’re stuck and can’t upgrade.

If you’re not on the google group, you probably should be. It’s very low volume, and everything on it is critical information.

http://groups.google.com/group/rubyonrails-security

Ask for Help

  • “Any suggestions for testing an Authorize.net integration?”

VCR is a good option, assuming you can get VCR to notice the initial requests.

  • “Running Jasmine with Selenium results in occasional port fail. Is the best solution to sleep more before setting up connections?”

  • “Devise seems to have the tools to set up an oauth provider. Are there any gems that pull everything together?”

Comments
  1. Jack Dempsey says:

    re: oauth, if you haven’t looked at OmniAuth, that might just do it.

  2. Jacob Maine says:

    The original question was about _being_ an oauth provider, rather than _authenticating_ users through an oauth provider. But, you’re right, OmniAuth looks like a great tool for the later.

  3. Myron Marston says:

    > VCR is a good option, assuming you can get VCR to notice the initial requests.

    Have you had problems getting VCR to record? Ping me on twitter or github; I’d be interested in hearing about any usability problems with VCR that I may be able to address.

  4. Jacob Maine says:

    @myron – didn’t intend to imply VCR might not be up to the job. The only time I’ve ever had problems was when my test code wasn’t generating the same URLs every test run.

  5. Myron Marston says:

    > The only time I’ve ever had problems was when my test code wasn’t generating the same URLs every test run.

    Makes sense. VCR definitely works the smoothest when your URLs are deterministic. That said, it has support for customizing the way new requests match old ones:

    http://relishapp.com/myronmarston/vcr/v/1-6-0/dir/cassettes/request-matching

    You just have to do a bit more configuration.

Post a Comment

Your Information (Name required. Email address will not be displayed with comment.)

* Copy This Password *

* Type Or Paste Password Here *