Permalink
Browse files

wow how come I commit in master? O_o

  • Loading branch information...
1 parent 4d391a4 commit b83965785db1eec019edf1fc272b1aa393e6dc57 @homakov homakov committed Mar 4, 2012
Showing with 3 additions and 0 deletions.
  1. +3 −0 hacked
View
3 hacked
@@ -0,0 +1,3 @@
+another showcase of rails apps vunlerability.
@jsauve

jsauve Mar 8, 2012

He can hack...but can he spell?

@AlekSi

AlekSi Mar 8, 2012

I guess you should do the same in Russian then. ;)

@jsauve

jsauve Mar 8, 2012

Голос перегиба мой юмор не очень хорошо переведены на русский ;)

@akostrikov

akostrikov Mar 29, 2012

Действительно, не очень

@dreamfall

dreamfall Mar 29, 2012

Contributor

Да, чувак, с русским у тебя проблемы) # yeah, dude, you've got some problems with Russian :)

+Github pwned. again :(
+will you pay me for security audit?

260 comments on commit b839657

Glad this issue is now resolved. Back to work!

Oh well, back to work.

Welcome back @homakov. FWIW you got your message across. Not sure you could have done it any other way. Take this as a lesson all you devs, take all your bug reports seriously.

@gitmonster +infinities and also @DouweM and @tekknolagi

Most comments are completely childish. I've been on both sides of the equation and believe me, mature people deal with this in a much cleaner way. Lot's of people find vulnerabilities bigger than this EVERY day. You just don't hear about them because they are quiet and respect the rules of engagement in Security: report and wait ENOUGH time (not just hit a huge website with a huge bug and expect it to be fixed immediately! Which they did, BTW, huge kudos to Github for their amazing response...)

Having read a lot on this issue, I'm certain @homakov tried to do The Right Thing (TM) and he just messed up due to inexperience and the kind of light-minded attitude that we all have had when we were young. I'm also sure he has learned a big lesson today and all his 0day vulnerabilities will be properly reported from now on instead of breaking hell loose on a Sunday evening.

Thanks @homakov, the Github team and everybody involved in the fixes!

And now people, LEARN how a good company behaves during such tough times. Please, read the official story of what happened:
https://github.com/blog/1069-responsible-disclosure-policy

I really enjoyed reading this comments, I love open source projects \o/

Well, I take back what I said, Github seems to be handling this admirably. At least in the end.

@homakov is symbol of freedom! Thank you! @php_peru is with you!

No harm no foul, I suppose. Real hacking is always playful!

Fascinating to watch the evolution of this bug (if you look at the tickets, and the tickets which that ticket references) - rail's aim to be easy for beginners has becoming a stumbling point even for the most advanced experts.

+1 for the hack, +1 for GitHub for being so sensible about this. (+1 when Rails changes the default?)

chkn replied Mar 5, 2012

-1 for GitHub's lack of humility about all this. I sincerely hope they are doing a little more for @homakov than just giving him back what he had before. He really did them a big favor.

lol wow

@rmoriz Oh gosh that caught me by surprise.

well done

A solution to a more obscure problem related to the "vulnerability" of mass assignment:
https://gist.github.com/1976687

After reading through the bug history, I'm glad @homokov persisted. People simply weren't taking him seriously. It looks pretty bad in retrospect.

Off topic: how can I disable all types of notifications coming from this commit? I have done so for email notifications for this commit, but I would also like to stop receiving tons of notifications via GitHub's interface. Anyone know how? Thanks.

Contributor

jacortinas replied Mar 5, 2012

@Apelsin right below the comment box at the end of this commit, there is a link to disable email notifications for this commit.

i3zhe replied Mar 5, 2012

Actually, this one is hacked by Lei Feng from China.

                                                   Mar 5 2012

Shit I'm using @github and @rails right now.
=> Now I have to spend the whole week to move our enterprise code to PHP and CVS.

thers replied Mar 5, 2012

Чикей, все правильно сделал. Роисся гордится тобой :D

@jacortinas Please re-read what I wrote. I just said I did that already and what I am asking for is how to disable ALL notifications for THIS commit.
Thanks.

Contributor

jacortinas replied Mar 5, 2012

hzlzh replied Mar 5, 2012

Just see the 5th comment in front of this one LOL~~~

make word better you can.

oops! this is not so nice to heard! :@

I write in epic thread

With that, all those "node.js community is so immature" phrases come to my mind. Seems like there are more of these ...

Rails is PHP in disguise?

put this in your initializer and forget all about it:

ActiveRecord::Base.send(:attr_accessible, nil)

pwlin replied Mar 5, 2012

put this in your php.ini and forget all about it:

register_globals = Off

Only CoffeScript allowed :P

NoICE replied Mar 5, 2012

I wonder how many bugs like this are in githubs (and my) code. What about subscriptions for example...

gugu replied Mar 5, 2012

there are no kittens in this thread

kitten

Wow amazing thread! even If I'm not a Rails developer!

 _____ _   _ _____    ____    _    __  __ _____ 
|_   _| | | | ____|  / ___|  / \  |  \/  | ____|
  | | | |_| |  _|   | |  _  / _ \ | |\/| |  _|  
  | | |  _  | |___  | |_| |/ ___ \| |  | | |___ 
  |_| |_| |_|_____|  \____/_/   \_\_|  |_|_____|

lol gg

OMG GitHub has turned into Reddit/2+2...

upvote

I hereby associate myself with this epic commit thread.

@homakov

Congrats on unbanning yourself!

PS- can you upgrade my account? Thanks!

This is not a design problem... of the architecture, but that of the default policy making assignment implicit AND of the user (github) not being security conscious enough. And since github was informed about the status quo it's its sole responsibility for being hacked and they were IN LUCK that it wasn't someone malevolent. Committing to main branch guaranteed speedy alert of the resposible personnel and patch fixing all apps hence.

@homakov "get account back" - is nice reward. Congrats! :trollface:

quazy

@grantgalitz Exactly. This is a place for coders to get things done. Go back to Reddit and 4chan if you want meme pictures and let the men and women do work.

Oh please... get over yourselves.

GitHub is one of the greatest things ever created.

Rails, however... not so much.

@gfosco I can't agree more... stupid Rails. Powered Rails on the other hand, they are pretty awesome, but you do need to get a lot of gold.

When you commit in master, the terrorists win!

Contributor

oreoshake replied Mar 5, 2012

use https://github.com/presidentbeef/brakeman, it finds mass assignment vulnerabilities pretty darn well

Bravo!

koopa replied Mar 5, 2012

good job mate :)
you did the right thing in my opinion. no harm done but great way to get attention for a critical issue

Contributor

tinogomes replied Mar 5, 2012

@oreoshake awesome tool +1

@Petah what were you thinking?

What an interesting discussion. Point of the matter is - the guy pointed out a vulnerability, some people decided it should be ignored (being a security issue that's a pretty big problem), so he made it even more obvious to the entire community and some people are putting him down for it. Absolute joke.

Wow, now really, how much will it take to have also a register_globals -like functionality? =)
Seriously rails? :|

@Ocramius and @Others:
register_globals and magic_quotes are deprecated and have been removed in latest versions of PHP, so you don't shine and unless you're being vaguely sarcastic, you show you lack skill.

@rishta you don't say? :D

pwlin replied Mar 6, 2012

@rishta
Your comment lacks a certain level of understanding the joke.
Of course they are deprecated, because PHP - by design - is no more vulnerable to this sort of attacks. That was the whole point.
By not fixing these holes in a default installation, RoR now scores even lower than PHP of 5 years ago.

@github, pretty please is there some way to turn off notifications from this thread without turning off all commit comment notifications?

If PHP code is producing errors with register_globals on you are terrible terrible programmer. If you are using magic_quotes you are simply stupid.

If PHP code is producing errors with register_globals on you are terrible terrible programmer. If you are using magic_quotes you are simply stupid.

But I like magic! David Blaine is soo cool

Contributor

ixti replied Mar 6, 2012

@jberger I use Firebug: $('.del a').click() on notification page to get rid of approx 10 messages per hour from this thread :))

imlcl replied Mar 7, 2012

wow

Welcome to Rails :) If you aren't using attr_accessible Santa kills 3 kittens for every vulnerable model.

@dreamr

Santa kills 3 kittens for every vulnerable model

In this case there was a dead octokitten.

holy crap

Pagination for the win..

Contributor

homakov replied Mar 8, 2012

@larzconwell
1 there is 'mark all as read' button on notif. tab
2 Why you think clearing messages should help. I am 100% sure they have table for participating users and you will be there FOR EVERS

Damnit, can't I go one day without having to see Michael Jackson?

Epic commit is epic!

Why I still get notifications about this thread when I unsubscribed few days ago and according to the bottom of this page they are properply off? :/

Рейлз розробник: секюріті? нє, не слихал!

(ukrainian)

@NoICE

Why I still get notifications about this thread when I unsubscribed few days ago and according to the bottom of this page they are properly off? :/

Check the «Comments after me on commits» setting in your Notification Center.

@Mithgol thanks!

Wow, all these animated gifs make me feel like I'm on a 1996 Geocities page.

@jfahrenkrug that's exactly what they're meant for... We're commenting on 1996's web applications' security issues :D

Хомяков Ты крут )

有意思

好欢乐呀

Egor Letov live!

万火留= =

已火留。。。

😷

What if someone introduced very hard to detect vulnerabilties in popular software packages and libraries by altering commits long ago in the history of the projects?

We'd never know.

What if this has already happened?

Member

seuros replied Nov 19, 2014

Git is not centralized, everybody will notice that once he/she try to push to the repo since the SHA will not match.

:-)

@dandv Man, I'm seeing you everywhere.

@seuros is right, though. You can't pull from a repository with altered commit history without huge flames and explosions.

Well, Egor deserves a cookie. Give it to him! Medium

Egor for president!!!

vulnerability

Over four years now.. 😃

2017, comment for every year so far.

Please sign in to comment.