Permalink
Browse files

remove troll

  • Loading branch information...
1 parent 851fd8f commit 2b74968f03fa4fbdf8afaa497b8446cb00fbddcd @jonleighton jonleighton committed Mar 4, 2012
Showing with 0 additions and 3 deletions.
  1. +0 −3 hacked
View
3 hacked
@@ -1,3 +0,0 @@
-another showcase of rails apps vunlerability.
-Github pwned. again :(
-will you pay me for security audit?

21 comments on commit 2b74968

Contributor

djones replied Mar 4, 2012

Has someone notified GitHub? :octocat:

thejh replied Mar 4, 2012

How is that "trolling"? oO 👎

thejh replied Mar 4, 2012

Lame reaction award for this, please.

+1 on the speedy Sunday morning fix!

I looked at all of the relevant GitHub issues and I'm a bit confused as to how someone reporting a vulnerability, being ignored, and then demonstrating that vulnerability in a non-evil way at all constitutes trolling. I second the lame reaction award nomination, should such an award indeed exist.

I don't think asking for money was a good idea, but I definitely don't see an issue with what he's done. If nobody listens, make them listen. Heck he might have stopped something very bad from happening down the road.

Contributor

tilsammans replied Mar 4, 2012

Calling him a troll is childish, and does nothing to drive the discussion. In fact it hurts it.

Contributor

jgaskins replied Mar 5, 2012

It's easy to see how the Rails core team would be offended by this attack. I'm not saying it completely justifies calling him a troll, but it's quite understandable. If someone made an example by attacking one of your projects, you might be just as offended and might very well react the same way.

Yeah, go ahead and call him a troll and then proceed to add commits to fix the reported security issue. Stay classy @jonleighton

1+ for lame

Contributor

mdesantis replied Mar 5, 2012

This is still gnawing at you, eh? :P

Owner

pixeltrix replied Mar 5, 2012

@tilsammans since @homakov used :trollface: in #5239 then calling him a troll is probably justified

@jyap808 the “fix” that was committed was explicitly rejected by @homakov - he wanted to special case certain attributes which would still leave holes where the attribute names didn't fit the pattern. Whilst it may have mitigated some attacks it would've engendered a false sense of security.

How is he a troll - he found a freaking security flaw that everyone was ignoring and urged you to fix it. For what definition of troll does this apply?

-1 Rails core team

+1 to Egor. He brought up an issue and demonstrated it a bit unorthodoxy but at least he finally attained the proper attention that was necessary.

@ghost

ghost replied Mar 5, 2012

I wish I were 13 again so I could be a member of Rails Core.

Contributor

jgaskins replied Mar 5, 2012

@dhruvbird Your comment is terribly uninformed. The Rails core team can't fix GitHub's code. The GitHub guys didn't use tools that Rails provides (and whose usage the Rails community encourages). The fact that the attack happened in the Rails repo on a Rails app is correlation, not causality.

@khiltd I have good news for you. Your comment here was far more condescending and immature than the commit message could every dream of being.

@ghost

ghost replied Mar 5, 2012

Ah, good. I was worried that the subtlety might get lost.

Removing troll? What a joke. Get over yourself.

@jgaskins I was referring to the flaw (or informed oversight as some might want to call it) in rails itself - comment not directed at github, who happened to be a victim in the whole thing. The point of the person who did this was to ensure that the defaults are "secure" and not amenable to be made secure with some tweaking.

I understand though that the bug isn't entirely fixed.

Please sign in to comment.