Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Remove /config/initializers/secret_token.rb from git repo! #737

Closed
Linutux opened this Issue Jan 13, 2013 · 4 comments

Comments

Projects
None yet
3 participants

Linutux commented Jan 13, 2013

Your git repo contains /config/initializers/secret_token.rb. This file is used to encrypt cookies. If someone knows this secret, he could pretend to be UID=1 (Admin) and could break into any system running the bare rstat.us-Git-repo. More info: http://www.phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html
Workaround: Remove the file and provide an example file with a different secret than the one used on rstat.us

Contributor

zph commented Jan 13, 2013

If you read the code, you'll notice that there is no hard coded value for the 'secret token' in that file.

In test envs this is automatically generated, in production it's contained in a non-git commited config file.

Closing as incorrect.

@zph zph closed this Jan 13, 2013

Contributor

steveklabnik commented Jan 13, 2013

Thank you for mentioning it though!

Linutux commented Jan 13, 2013

I'm sorry, I confused two git repos. I had two browser tabs with the same file open and that's what happened. I'm sorry!

But nevertheless it could be of interest for others, who also have rails apps on Github.

Contributor

zph commented Jan 13, 2013

No worries :). Sorry if I sounded short, I was typing it from a phone.

Also, interestingly enough, when I saw that blog post that you referenced and Googled for 'secret_token.rb' on github... This repo was one of the first to come up. I was happy to see that it wasn't truly vulnerable :).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment