Has someone notified GitHub?
How is that "trolling"? oO 👎
Lame reaction award for this, please.
+1 on the speedy Sunday morning fix!
I looked at all of the relevant GitHub issues and I'm a bit confused as to how someone reporting a vulnerability, being ignored, and then demonstrating that vulnerability in a non-evil way at all constitutes trolling. I second the lame reaction award nomination, should such an award indeed exist.
I don't think asking for money was a good idea, but I definitely don't see an issue with what he's done. If nobody listens, make them listen. Heck he might have stopped something very bad from happening down the road.
Calling him a troll is childish, and does nothing to drive the discussion. In fact it hurts it.
It's easy to see how the Rails core team would be offended by this attack. I'm not saying it completely justifies calling him a troll, but it's quite understandable. If someone made an example by attacking one of your projects, you might be just as offended and might very well react the same way.
Yeah, go ahead and call him a troll and then proceed to add commits to fix the reported security issue. Stay classy @jonleighton
1+ for lame
This is still gnawing at you, eh? :P
@tilsammans since @homakov used in #5239 then calling him a troll is probably justified
@jyap808 the “fix” that was committed was explicitly rejected by @homakov - he wanted to special case certain attributes which would still leave holes where the attribute names didn't fit the pattern. Whilst it may have mitigated some attacks it would've engendered a false sense of security.
How is he a troll - he found a freaking security flaw that everyone was ignoring and urged you to fix it. For what definition of troll does this apply?
-1 Rails core team
+1 to Egor. He brought up an issue and demonstrated it a bit unorthodoxy but at least he finally attained the proper attention that was necessary.
I wish I were 13 again so I could be a member of Rails Core.
@dhruvbird Your comment is terribly uninformed. The Rails core team can't fix GitHub's code. The GitHub guys didn't use tools that Rails provides (and whose usage the Rails community encourages). The fact that the attack happened in the Rails repo on a Rails app is correlation, not causality.
@khiltd I have good news for you. Your comment here was far more condescending and immature than the commit message could every dream of being.
Ah, good. I was worried that the subtlety might get lost.
Removing troll? What a joke. Get over yourself.
@jgaskins I was referring to the flaw (or informed oversight as some might want to call it) in rails itself - comment not directed at github, who happened to be a victim in the whole thing. The point of the person who did this was to ensure that the defaults are "secure" and not amenable to be made secure with some tweaking.
I understand though that the bug isn't entirely fixed.