You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm not mélanchonien but this initiative is quite laudable.
I saw you took some precautions while disclosing the source code, but you missed some points.
The secret token key published here is the original key generated by Rails, but it's not used by production environments. The system uses a method similar to what's proposed here (diaspora) based on Capistrano.
The facebook Id and keycode isn't used by the application and refers to a kind of 'dummy' account that is never used, so those Ids will be cleaned-up. In any case the keys will be managed using Capistrano scripts.
For payment credentials, this refers to a test site in a test mode.
I'm not mélanchonien but this initiative is quite laudable.
I saw you took some precautions while disclosing the source code, but you missed some points.
In
config/initializers/secret_token.rb
:This is called secret for a reason. It is used to sign your cookies. You let your users vulnerable to a session hijacking.
In
config/environment.rb
:These are part of a payment gateway credentials. For these ones, you're stuck with them being public, you can't regenerate them. Try calling Paybox.
In
config/initializers/devise.rb
:Here are the APP_ID and APP_SECRET for your facebook app.
Here is a little help. I wanted to talk about SettingsLogic, addressing such issues, so I jumped on the occasion :
http://emaxime.com/2012/managing-private-settings-with-settingslogic/
The text was updated successfully, but these errors were encountered: