Skip to content
This repository
Browse code

wow how come I commit in master? O_o

commit b83965785db1eec019edf1fc272b1aa393e6dc57 1 parent 4d391a4
Egor Homakov authored

Showing 1 changed file with 3 additions and 0 deletions. Show Diff Stats Hide Diff Stats

  1. 3  hacked
3  hacked
... ...
@@ -0,0 +1,3 @@
  1
+another showcase of rails apps vunlerability.
  2
+Github pwned. again :( 
  3
+will you pay me for security audit?

253 notes on commit b839657

Adam Hawkins

o_0

Andrei Filimonov

Whoa!

Tadas Tamošauskas

Since you can commit to master, you could just fix the vulnerability :)
Also, Rails is open source - you get it for free, why not make it better for free as well?

Alex Tambellini

relevant: #5228

Brooke McKim

Not sure if this is the best way to prove your point :rage:

Egor Homakov

@brookemckim sorry if it looks stupid.:(

@tadast I was going to! But I 'm not done yet :trollface:

Matthew Johnston

Nice find, thanks for pointing this out. Need to be more cautious about XSS and mass-assignment

@brookemckim would you have listened if he didn't?

Roland Moriz

If everyone is doing it wrong, there is enough reason to fix it through more restrictive defaults. imho.

bUg.

If everyone is doing it wrong, it's just a reason to read documentation.

Ian Leitch

You don't get better trolling than this.

Jose Angel Cortinas

I doubt that Github failed at "reading the documentation". If Rails is so serious about providing the best tool to developers and it's conventions being the best practice, then it's important that the framework establish a convention of more strict security by default.

Jérôme Mahuet

Nice catch haha!

Aaron Taylor

Good catch and let's hope this gets addressed.

Zach Holman

We've patched and fixed this on GitHub.

Jose Angel Cortinas

:+1:@holman.

but who knows how many apps have this issue and don't even realize it. :(

Vlad Gorodetsky
bai commented on b839657 March 04, 2012

Love you @holman

Gonçalo Silva

@holman Has this been fixed in Rails upstream? If not, did you guys send a pull request?

Filipe Moreira

@holman Pretty fast response for a Sunday morning. Do you mind sharing some details of the patch? Was it Rails related?

Ian Leitch

@filipeamoreira Probably just missing attr_accessible, see: #5228

bUg.

@filipeamoreira, hands related :)

Jose Angel Cortinas

This is not something that's really "patchable", it's an issue with misinformation. If we all went with the most restrictive settings for mass assignment, then the issue would go away. The problem is that, it's not set to the most strict by default, nor is it as strongly urged (in documentation for example) as it could be. With so many new programmers and novices using Rails, it makes sense to be a little bit more novice-proof and security conscious by default, and make the model generators and default model require you to whitelist accessible attributes.

Matthew Johnston

I would like to see all the attributes thrown into attr_protected by default and I will manually specify attr_accessible on each of my models. Makes me happier this way.

Prathan Thananart

@jacortinas how long before we have magic quotes then? :)

Jose Angel Cortinas

@scomma I understand the concern, I don't want that kind of all-encompassing mess either. :\

Django avoids things like this by establishing the idea of form classes, which is honestly a great way of doing things. What is submitted in forms may not, and should not be exactly what goes into your models. @wycats gist for a fix https://gist.github.com/1974187 is an idea that's very similar. Input handling is not really the responsibility of the model, but of the gateway class that accepts the input.

Brandon R. Stoner

One more reason to not use rails. I'll add it to my huge list.

Luciano Sousa

@monokrome show me a perfect framework/language

Kenan Yildirim

@adrienthebo Perfect.

Jakub Roztočil
jkbr commented on b839657 March 04, 2012

oh noez

Christopher Jeffrey
chjj commented on b839657 March 04, 2012

I was wondering when this would descend into memes.

Vlad Gorodetsky
bai commented on b839657 March 04, 2012

Demeter

When did we get emoticons and gif embedding? This feels like tumblr. (I want the emoticons... please?)

Dennis de Vaal

zomg~!

Chris Rhoden

Can anyone point me to a widely used framework which does not have this issue?

If the mass-assignment problem doesn't exist, it's because there is no mass-assignment, and that's not a framework I am particularly interested in using.

Swoony3

Have you read your SICP today?

Thomas Steinbrenner

Why did you terminate @homakov account? -_-
He benevolently pointed out a vulnerability. Way to piss people off who are trying to be your friends...

Chris Rhoden

@Tie-fighter what evidence do you have that his account was terminated?

Roland Moriz

@chrisrhoden imho it's not about the framework. It's about the handling of an issue. Every framework, language, app has bugs. One of the strenght of a project/community is to deal with it. Before smuggeling a commit into the rails repo, homakov opend an issue but that was imho harshly closed with a "not our problem" reply ignoring the underlaying problem.

That's probably the reason why he tried to get more attention on this issue which was very successfull with this commit...

Now it's time to go back to something productive and deliver concepts and code.
For example @wycats proposal at https://gist.github.com/1974187

Matt Kydd
mtkd commented on b839657 March 04, 2012

@chrisrhoden mass assignment doesn't need to be removed - the issue is that it's the default - and it's so easy to not lockdown a resource that Github managed to miss it.

If they're going to miss it then you can bet there are 1000s apps out there that are open.

@homakov's additional point that created_at should not be writeable is valid too (certainly in production).

Thomas Steinbrenner

@chrisrhoden He told me so...
@DouweM But he did not mean to harm anybody, such things can happen by accident...

Douwe Maan

@Tie-fighter He had to type this commit and those posts, didn't he? Unless he was sleepcoding, there's no way this was an accident. And even if it was, it doesn't matter; he still did it. I would expect nothing less of GitHub than to ban him. He should just have tested this which repos of his own, and after finding the vulnerabilities he should have submitted a prober bugreport to GitHub.

Roland Moriz

@DouweM sure. And the next one who finds a security exploit and get's ignored will sell the exploit straight to the bad guys... do you prefer that?

Douwe Maan

@rmoriz He was ignored by the Rails core team when he reported on attributes not being protected by default. I don't believe he has said anything about the GitHub team ignoring his bug reports, if there were any at all.

And you're viewing this awfully black-and-white, as if the only two options are "act on found vulnerabilities" and "sell exploits to the bad guys."

bashcoder

He's been trying to get people to take this issue seriously for several days now, with "opinionated-software" coders calling him a troll. Good for him for harmlessly driving his point home and hopefully changing some opinions about rails defaults.

Rafa

@DouweM don't be that rude. The post he deleted was while he was testing... he just showed us what can be done in github. Just showed us the vulnerabilities. He could done anything worst...

Thomas Steinbrenner

@DouweM: "DAMN. dude, sorry for wiping your post :( Sorry, I was 99 percent sure github at least checks for owner... but He doesnt :("
Wow, sounds like a very bad person to me to...

So instead of saying "Thank you for helping us improve" you teach him to keep his mouth shut when he finds a vulnerability (so it does not get fixed and others can exploit it in harmfull ways)."
Good idea? Think about it...

Douwe Maan

@bashcoder I am definitely for changing the defaults as far as protected attributes is concerned, but he didn't have to act on those found vulnerabilities.

@vanhalt @Tie-fighter Well, I'm just saying he should have tested it on comments of his own, for example. He didn't need to do so on some innocent guy's posts.

@Tie-fighter I'm not saying he should keep his mouth shut, I'm saying he should report this to GitHub, and only make it public after it had been fixed, so no-one else could exploit it. I'm pretty sure that's common practice, when big vulnerabilities in widely used software are found.

Brandon R. Stoner

@lucianosousa Who cares about a perfect one? How about one that works without arguing with it all day? :D

Matt Kydd
mtkd commented on b839657 March 04, 2012

If his account has been deleted after failing to get someone to listen to the issue for 3 days - and then safely demonstrating the exploit in the open:

1) That's an outrage

2) It does nothing to encourage people to report issues in a constructive way and everything to encourage people to use exploits maliciously

Rafa

He did the commit 3 hours ago... and got fixed 2 hours ago ¬¬ come on!

Thomas Steinbrenner

I know this is not my website, my project, my problem... but I think you should reward him instead of punishing him.

If it were though, I would even send him some money for doing the right thing (that is: not trying to sell the vulnerability for 10x the money he could make on a black market)

Prem Sichanugrist
Collaborator

@rmoriz I don't think everyone prefers that, but I don't think he had done a right thing as well.

  • For Ruby on Rails, if there's a security bug he should do according to this: http://rubyonrails.org/security
  • For GitHub, I believe the best way to do is create a repository and reproduce the problem in the isolation, then report a bug using "Contact and Suport" section, not just publicity running around and perform those stuff that @DouweM mentioned.

Me, for once, if I found a venerability or insecure part I would be sending a report to that site's owner. Just trying to reproduce a bug to get a publicity is just like being a jackass and childish. Then, after the bug was fixed, I think he can raise awareness by creating a blog post and tell people that he/she should whitelist their attributes. That is the smart way to handle it.

Douwe Maan

I'll agree that he probably shouldn't have been banned just like that, my saying that I expected nothing less of GitHub was a bit of a knee-jerk reaction.

Of course what he did, namely act on the found vulnerabilities in the open, is to be preferred over selling it to "bad guys," and while I applaud him for that, he should just have let GitHub know about it first, and there's currently no reason to believe he did so. He was ignored by the Rails core team, not by GitHub as far as we know! The Rails core team should definitely have listened to his concerns, but it's not like he told them of the vulnerabilities uncovered today and they ignored that.

Douwe Maan

@sikachu It looks like we're on the same page here.

Prem Sichanugrist
Collaborator

... and I believe doing those exploit publicity before telling GitHub is violating section A.8 of ToS, am I right?

You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).

I believe he's unauthorized to post as DHH. I believe he's unauthorized to commit to a repository he doesn't have access to.

Rafa

@sikachu that's YOUR smart way to handle it...

Thomas Steinbrenner

@sikachu Well then they should change their ToS.
P.S.: And start a reward program for reporting serious issues.

Douwe Maan

@Tie-fighter That's the thing: he should have reported, not exploited. What if everyone at GitHub had had a day off today? GitHub would be open to be exploited by anyone. He would've been able to get his point across just as well, were he to post a blogpost on this tomorrow, after the vulnerabilities had been fixed.

Thomas Steinbrenner

@DouweM: He did not exploit it. How come? Do you know how he did it? Can you reproduce it?

Douwe Maan

@Tie-fighter How is deleting posts, posting as other people and commiting into repos you're not allowed in not exploiting vulnerabilities? Sure, he didn't do any real harm (except to the deleted post), but IMO the right course of action would have been to report this stuff to GitHub, and only announce it to the public after GitHub had had time to fix it. I can't think of a single way in which what he did was a "better" thing to do.

And you're asking if/how I know how he did it? Read through his last couple of posts, it's pretty clear he's exploiting models where GitHub forgot to protect attributes for mass-assignment by defining attr_accessible/attr_protected. And no, I can't reproduce it as GitHub fixed it pretty quickly after the commit we're now commenting on was pushed.

abuddy

It is really disappointing that here goes discussion about his personality and some even try to judge him instead of focusing on the problem he showed.

Thomas Steinbrenner

@DouweM I would consider that a proof of concept.
Ah, but didn't he post an issue for that?

@abuffy full ack!

I, for one, am very disappointed by github and consider canceling my subscription :(
P.S.: And if I do so, I will send him 1 year worth of subscription fees.

Douwe Maan

@abuddy I think that's because most people realize it's a stupid oversight on GitHub's part, but also one that's understandable to some extent, seeing as it's made way too easy by Rails to just define models (via a generator for example) and have the models be completely open for mass-assignment. GitHub fixed it, Rails's attribute protection defaults should be reevaluated and... anything to add?

Yes, I'm disappointed that GitHub made such an obvious mistake, but I'm more concerned over all the other sites that have this vulnerability, caused in the first place by Rails defaults, not stupid developers.

@Tie-fighter He posted an issue about Rails mass-assignment attribute protection defaults, which they ignored/dismissed, which they shouldn't have. The first thing he did when he found vulnerabilities in GitHub, on the other hand, seems to have been exploit them, not report them.

Thomas Steinbrenner

@DouweM He did not exploit anything. Please realize that.

Douwe Maan

@Tie-fighter Could you explain what you mean by that? In my understanding, exploiting is making use of found vulnerabilities. That's what he did.

Joshua Hull

@DouweM Aren't you glad though, at some level, that the issue was exploited in such a public way as to get everyone's attention? In terms of getting the message out there and inflicting a sense of urgency, I can't really imagine a better scenario than this. The cat was already out of the bag as the bug was reported days ago. But now people will have to take it seriously.

Thomas Steinbrenner

@DouweM I think exploiting is (in this context) when you use a vulnerability to ("to" as in "on purpose, not by accident or carelessness") achieve a personal gain or inflict a loss on somebody else. I consider what he did is a proof-of-concept, he demonstrated the vulnerability (doing so without using the exploit is impossible (and doing so does not constitute malevolence)).

Douwe Maan

@joshbuddy Yes, he definitely got a lot of attention for the problem this way, and that's absolutely a good thing: more people should know about vulnerabilities caused by Rails mass-assignment attribute protection defaults, and people should definitely know a site the size of GitHub had such big and obvious vulnerabilities.

I just think it was a bit of an assholeish/childish move to do it like this. In the end I prefer it happening this way to it not being seen by the public and it being covered up by GitHub or whatever, so I guess ultimately I am glad this is how everything turned out, but I don't like that @homakov did it like this. I'm aware I'm not doing a very good job at making myself clear.

Douwe Maan

@Tie-fighter In my opinion it would have been a proof-of-concept had he done it with repos of his own and comments of his own. The moment he started affecting other people (the user that posted the comment he deleted, the user who he posted as (@dhh) and the admins and other users of the repo he hijacked) it became exploitation. The user, @dhh, the Rails core team and all the people who care about the rails/rails repository are innocent in GitHub's forgetting to protect its attributes.

Joshua Hull

@DouweM I'm not gonna force you to try to express yourself too clearly. It's obviously a pretty murky issue, so, hard to come to a clear point on it. In my mind, there are a lot of Rails sites out there, I mean, lots. Someone's gotta wake em up.

Thomas Steinbrenner

So what are you going to do Github?

Douwe Maan

@joshbuddy Which is why I'm happy it happened this way, but I cannot agree with @homakov's actions, even though I do see the merit in the outcome.

Eugene MechanisM

In #5228 he told about vulnerabilities but no one fixed it. so he wanted more attention on this problem.

Thomas Steinbrenner

@DouweM But if it were his own repositories and posts he would be allowed to delete and commit...
And if he created a second account we would have probably violated the ToS as well and somebody would hang him for that...
dafuq dude :(

bbl...

Douwe Maan

@Tie-fighter I'm not so much concerned over violating the ToS, I'm concerned over all the innocent people that got hurt, albeit ever so slightly :p I think he should just have created a second account and tested everything that way. I'm sure they would've forgiven him for creating a second account had he just reported his findings afterward.

@MechanisM Ah you're right, he did show 2 days ago that he had found at least one vulnerability. There's no indication he told GitHub about it though, he was trying to get the attention of the Rails core team to change the default for mass-assignment attribute protection, which I definitely agree with.

Alex R

What would seem to be going on here, is that he was banned because github feels humiliated about what happened here (see how popular this is on Y combinator's hacker news?), and is reacting emotionally or trying to save face at the expense of the truth.

It's nearly impossible to argue that what homakov did was more harm than good for the developer community. This looks like a cut and dry political move by GitHub of villifying somebody who has demonstrated your weakness in a way to downplay your own responsibility.

I think what happened here is even preferable to it going through the reported channels, and silently being fixed, without attention being drawn to the larger issue here (i.e. rails security). Good for you, homakov, don't let anybody take out their defensiveness over their coding incompetence on you.

Max Bernstein

I congratulate @homakov for finding this vulnerability, and @bashcoder for taking him seriously. I also think, however, that it was right to terminate his account. He violated GitHub's ToS. While he was trying to help GitHub with their vulnerability, it is nearly never a good idea to screw with the application in the process.

EDIT: His comment ("DAMN. dude, sorry for wiping your post :( Sorry, I was 99 percent sure github at least checks for owner... but He doesnt :( What a bug-day") clearly indicates his non-malicious behavior. It's more like reaching out and seeing what he can do than wrecking the site. Go easy on the man.

Douwe Maan

@tekknolagi I agree with everything you said there.

Max Bernstein

Can he please have his account back, @holman ?

totseans

I didn't see a Goatse on Github, I want my money back. If you're going to exploit or at least prove a point, Goatse is the way to go.

Max Bernstein

@totseans That's just gross.

Douwe Maan

@tekknolagi I'm not sure how that would look to people who haven't followed everything @homakov has said and done these last couple days, like we have since all this happened. He broke into the Rails repository and was not even suspended?!

Paul Dacus

Back to real life: If your rails app is cracked, your customer WILL NOT ask the cracker for consulting or a vCard, they will call you and blame You. This guy did nothing wrong, he raised a red flag, got called a troll for his troubles, then demonstrated the problem, and is now getting beat up. He could have done so much worse...

Max Bernstein

@DouweM I've done my fair share of nefarious deeds, and was not punished solely for the fact hat I overall increased the security. I'm a white hat. He's... grey, since it's kind of undetermined, but he's not fucking anyone over.

totseans

@tekknolagi Not really, depends on which side you're from. It would be funny and shocking.

Max Bernstein

@totseans I'm getting the impression that @homakov isn't that sort of person.

Benjamin E. Coe
bcoe commented on b839657 March 04, 2012

Egor's Octocat Tattoo
"I survived the githubpocolypse of 2012"

Tadas Tamošauskas

Yes, it was impolite and unnecessary from @homakov. But he's a young, 19 years old guy. Don't kill his enthusiasm by punishing him too hard :)

On the other hand I also understand how GitHub got pissed when a 19 year old messed around with their multimillion user service by editing HTML in WebInspector... :trollface:

Max Bernstein

@Tadast :+1: and I feel like that's all I'm doing on this thread. Agreeing with people... o.O

Zach, have a heart :)

Douwe Maan

@tadast I completely agree!

Thomas Steinbrenner

To clarify: The guy with the github tattoo is @homakov ...
How awesome is that!?! :)

Max Bernstein

Hello,

Just having an email conversation with @homakov, and here's what he responded:

"I was very curious about that bug. Just mad. I tested sites and most of them god kind of that vulnerability. I was mad that people ignore that bug and statrted checking github just adding inputs to forms. It worked. I coulndn't just stop but anyways I WROTE to support right after finding my first vulnerability. Github was silent."

Does he seem malicious? No. Black hat in any way? No.

He just wants it fixed now.

Max

Michael

@homakov is an impatient little fuck who needs to be put to death.

Douwe Maan

@tekknolagi Well, in that case: @homakov If you're reading this, I'm sorry for and take back the harsh things I said about you, I was too quick to judge and I applaud your efforts to get attention for this big issue!

Max Bernstein

@larzconwell Yes, the trollfaces were a tad childish, but if committing to Rails got attention, then it was worth it.

Max Bernstein

@tanepiper Not necessarily hire, but definitely contract him as a white hat.

Max Bernstein

@homa-kov will be posting, and that is the man himself. Verified.

totseans

I still would prefer seening a Goatse Tatoo.

Vitaliy Vasilenko

Нихерсе О_О

homa-kov

sup /github/

homa-kov

@Lockal your picture made my mood +100 thanks

So, what's up? I am jerk and bastard, is it your conclusion? :)

Max Bernstein

Are GitHub users really this juvenile? GitHub administrators? Guys, please act like the adults you are.

homa-kov

@tadast hilarious :) smart humor +1

rainyday

The github admins should be mad at their engineers for not fixing a massive security hole in their site, not the guy who called attention to it in a non-damaging way when his bug report was ignored. The approach to handling this that github employees have used is not only counter productive, its unbelievably childish.

aDevilInMe

IMHO Github is not really coming out of this very well.

Ishan Oshadi Jayawardene

If github wasn't immune to this issue, is it realistic to expect other rails deployments to be savvy about this kind of thing?

Dmitrii Golub

@homakov bravo!

Aleksey V. Zapparov
ixti commented on b839657 March 04, 2012

@rainyday +1

He could made really bad things - without making "any noize". Instead he just alarmed the REAL BIG SECURITY problem in a really kind way IMHO.

Sergey Shcherbakov

anyway, whats the point of suspending @homakov?

bashcoder

@sysprv - exactly - this completely debunks the arguments made against @homakov over the past few days. The 'newbie' argument falls flat when an elite group of coders can so easily fall prey to this issue. Meanwhile, rails takes credit for handling cross-site-scripting, sql injection and other "newbie mistakes."

No matter what anybody says, this is a "call-the-neighbors-and-wake-the-kids" kind of issue. It will be interesting to see how many gems get updated this week.

rainyday

@sysprv It's absolutely not. One of the reasons people use frameworks in the first place is because this type of thing is supposed to be done for you minimizing the chance of human error. Github COULD have found this on their own but I don't think they are the ones to blame here. The problem is how they responded. Most software has bugs, what matters is how you respond to them and the Rails team and github have done pretty much everything wrong on that front.

Eric Mill

Is he actually suspended? His account looks up to me.

https://github.com/homakov
https://github.com/homakov/T-For-Translate

Max Bernstein

@klondike He just can't log in.

Eric Mill

I'll just add a couple of points, in case this is still relevant:-

  • Regardless of whether you think Rails should handle this differently, this is not a "0 day attack" or an exploit of a "Rails security hole". The mechanism to secure Github is there without any code changes to Rails, which is how Github could fix it within minutes. Exploiting a vulnerability and violating a site's TOS, at least as far as keeping one's account privileges, is a really serious action that requires serious justification. If this were actual 0day, it might plausibly be defensible, depending on the circumstances.

  • Rails has chosen a pattern which makes it more likely that even a foundational Rails site built by some of the most experienced Rails developers in the world is susceptible to unauthorized data entry. This is an obvious problem, and it reflects poorly on the Rails development team that they wouldn't take it seriously up until now. It's hard to get away from the feeling that as experienced Rails devs themselves, they simply could not empathize with the broader Rails community and chose to blame any vulnerabilities on the incompetence of individual developers.

There is a problem here, but vilifying the Rails framework as having an 0day flaw, or heroizing @homakov for sticking it to the Rails team, are both wrong. It's not black and white, and all we can do is take the conversation to the Rails core team to figure out where to go from here. @wycats is trying to start that process now.

How Github deals with @homakov's account is entirely up to them, and they're well within their rights to terminate his account.

Kevin Postal

+1 Django

Max Mackie

I wouldn't have asked for money off the bat like he did. But I don't see anything wrong with his approach. He probably saved Github from some serious issues down the road (someone would have figured this out).

Mithgol

@tanepiper

@github should hire @homakov

If I were @homakov, I'd decline. The only GitHub's office is in San Francisco, and I guess he'd remember the United States v. ElcomSoft and Sklyarov case. And the fact that Robert S. Mueller is currently Director of the FBI.

Right now any IRL step on U. S. soil probably means @homakov jailed. He probably should also avoid proximity to U. S. vessels, diplomatic missions and other more or less exterritorial objects within his home city.

Tomasz Stachewicz

if i were github, i'd send this guy truckloads of flowers, booze and money for saving their asses. if @homakov sold that exploit on a blackhat market, github -- and its paying customers -- would be in some really deep shit, maybe even on the brink of bankrupcy (imagine all the lawsuits for private code stealings). so, this man is a hero and should be treated like one.

now's the time to get some sleep in my timezone, but i expect the upcoming monday to be pretty shitty for many maintainers of rails apps that also sport similar security hole. i'll start the day with checking my own apps for this, actually.

totseans

So.. I still don't see Goatse. Anyway, I guess at this point everyone should be A) backing up their code B) protecting it C) nailing Github ass D) Helping @homakov out.

rainyday

@klondike Of course Github has the right to ban @homakov, claiming otherwise would be absurd. Banning white-hat hackers sends the message that you're more concerned with saving face than actually fixing things and a company whose entire userbase is made up of developers should know better.

Paul Dacus

NEWSFLASH: @homakov found to be github "plant" so free users upgrade to paid plans! Details @ 11! :-)

bashcoder

haha - yeah, well, this paid plan customer just typed this command: git clone git://github.com/sitaramc/gitolite.git

Paul Dacus

Jose Valim quits and the neighborhood goes to hell. :smile:

Vasili Kachalko

@ElDeveloper adding fields on form in firebug don't make him a cool specialist.

Mohnish Thallavajhula

Github is so much fun today! Epic commit btw!

Daniel Hommel

All in favor of Egor. Thanks for pushing github to be a better platform.

Daniel Hommel

And btw lol @ all the meme stuff... Waiting for some Bear Grylls...

Torao Takami

funny

Egor Homakov

Freedom! Next time my tattoo is gonna be real! :3

and

sorry

Daniel Hommel

lol.... Egor++

@homakov congrats for your freedom!!

Mohnish Thallavajhula

@homakov you got your account back. Github +1.

Joel Berger

@tomash, agree 100%. Can you imagine what he would have gotten from the black market!?!?! If someone walked up to you and said: you can have $1M and no one will know, or you can make a couple jokes and then hellfire and brimestone will rain down on you for making the right choice, what would any of you have done?

I agree with gitmonster. I'm glad this got resolved as quickly as it did.

Earl Cochran

@KenanY that had me laughing like a fool out loud. Nice

Roland Moriz

Glad this issue is now resolved. Back to work!

totseans

Oh well, back to work.

Joel Berger

Welcome back @homakov. FWIW you got your message across. Not sure you could have done it any other way. Take this as a lesson all you devs, take all your bug reports seriously.

J. Javier Maestro

@gitmonster +infinities and also @DouweM and @tekknolagi

Most comments are completely childish. I've been on both sides of the equation and believe me, mature people deal with this in a much cleaner way. Lot's of people find vulnerabilities bigger than this EVERY day. You just don't hear about them because they are quiet and respect the rules of engagement in Security: report and wait ENOUGH time (not just hit a huge website with a huge bug and expect it to be fixed immediately! Which they did, BTW, huge kudos to Github for their amazing response...)

Having read a lot on this issue, I'm certain @homakov tried to do The Right Thing (TM) and he just messed up due to inexperience and the kind of light-minded attitude that we all have had when we were young. I'm also sure he has learned a big lesson today and all his 0day vulnerabilities will be properly reported from now on instead of breaking hell loose on a Sunday evening.

Thanks @homakov, the Github team and everybody involved in the fixes!

J. Javier Maestro

And now people, LEARN how a good company behaves during such tough times. Please, read the official story of what happened:
https://github.com/blog/1069-responsible-disclosure-policy

Almir 'm3nd3s'

I really enjoyed reading this comments, I love open source projects \o/

rainyday

Well, I take back what I said, Github seems to be handling this admirably. At least in the end.

Luis Cordova

@homakov is symbol of freedom! Thank you! @php_peru is with you!

Rich Jones

No harm no foul, I suppose. Real hacking is always playful!

Fascinating to watch the evolution of this bug (if you look at the tickets, and the tickets which that ticket references) - rail's aim to be easy for beginners has becoming a stumbling point even for the most advanced experts.

+1 for the hack, +1 for GitHub for being so sensible about this. (+1 when Rails changes the default?)

Alex Corrado
chkn commented on b839657 March 04, 2012

-1 for GitHub's lack of humility about all this. I sincerely hope they are doing a little more for @homakov than just giving him back what he had before. He really did them a big favor.

Jonny

lol wow

Kenan Yildirim

@rmoriz Oh gosh that caught me by surprise.

Ting-Yen Lai

well done

Rafael Lima

A solution to a more obscure problem related to the "vulnerability" of mass assignment:
https://gist.github.com/1976687

Eric Walker

After reading through the bug history, I'm glad @homokov persisted. People simply weren't taking him seriously. It looks pretty bad in retrospect.

Off topic: how can I disable all types of notifications coming from this commit? I have done so for email notifications for this commit, but I would also like to stop receiving tons of notifications via GitHub's interface. Anyone know how? Thanks.

Jose Angel Cortinas

@Apelsin right below the comment box at the end of this commit, there is a link to disable email notifications for this commit.

i3zhe

Actually, this one is hacked by Lei Feng from China.

                                                   Mar 5 2012
Christoph Jasinski

Shit I'm using @github and @rails right now.
=> Now I have to spend the whole week to move our enterprise code to PHP and CVS.

Alexander Kuhta

Чикей, все правильно сделал. Роисся гордится тобой :D

@jacortinas Please re-read what I wrote. I just said I did that already and what I am asking for is how to disable ALL notifications for THIS commit.
Thanks.

Jose Angel Cortinas
hzlzh

Just see the 5th comment in front of this one LOL~~~

肥老大

make word better you can.

Harsha Siriwardena

oops! this is not so nice to heard! :@

Roma Milushov

I write in epic thread

Christoph Jasinski

With that, all those "node.js community is so immature" phrases come to my mind. Seems like there are more of these ...

Ben James

Rails is PHP in disguise?

Marcin Stecki

put this in your initializer and forget all about it:

ActiveRecord::Base.send(:attr_accessible, nil)
pwlin

put this in your php.ini and forget all about it:

register_globals = Off

Christoph Jasinski

Only CoffeScript allowed :P

Dalibor Filus

I wonder how many bugs like this are in githubs (and my) code. What about subscriptions for example...

Andrii Kostenko
gugu commented on b839657 March 05, 2012

there are no kittens in this thread

kitten

MiniNaim

Wow amazing thread! even If I'm not a Rails developer!

Simon Cornelius P. Umacob
 _____ _   _ _____    ____    _    __  __ _____ 
|_   _| | | | ____|  / ___|  / \  |  \/  | ____|
  | | | |_| |  _|   | |  _  / _ \ | |\/| |  _|  
  | | |  _  | |___  | |_| |/ ___ \| |  | | |___ 
  |_| |_| |_|_____|  \____/_/   \_\_|  |_|_____|
darkstalker

lol gg

OMG GitHub has turned into Reddit/2+2...

Chris Wheeler

upvote

Matt Caldwell

I hereby associate myself with this epic commit thread.

paulwal

@homakov

Congrats on unbanning yourself!

PS- can you upgrade my account? Thanks!

default

This is not a design problem... of the architecture, but that of the default policy making assignment implicit AND of the user (github) not being security conscious enough. And since github was informed about the status quo it's its sole responsibility for being hacked and they were IN LUCK that it wasn't someone malevolent. Committing to main branch guaranteed speedy alert of the resposible personnel and patch fixing all apps hence.

Eugene MechanisM

@homakov "get account back" - is nice reward. Congrats! :trollface:

Christopher Johnston

quazy

Grant Galitz

And these meme-centric comments are why some developers can't take github seriously.

Earl Cochran

@grantgalitz Exactly. This is a place for coders to get things done. Go back to Reddit and 4chan if you want meme pictures and let the men and women do work.

Grant Galitz

@methoddk If github introduces upvoting for comments I swear a table shall be flipped.

Fosco Marotto

Oh please... get over yourselves.

GitHub is one of the greatest things ever created.

Rails, however... not so much.

Guillermo A. Amaral

@gfosco I can't agree more... stupid Rails. Powered Rails on the other hand, they are pretty awesome, but you do need to get a lot of gold.

Aaron K. Clark

When you commit in master, the terrorists win!

Neil Matatall

use https://github.com/presidentbeef/brakeman, it finds mass assignment vulnerabilities pretty darn well

Mike Zeena

Bravo!

koopa

good job mate :)
you did the right thing in my opinion. no harm done but great way to get attention for a critical issue

Celestino Gomes

@oreoshake awesome tool +1

Christian Pearce

@Petah what were you thinking?

Steven Seeley

LOL

Kirk Bushell

What an interesting discussion. Point of the matter is - the guy pointed out a vulnerability, some people decided it should be ignored (being a security issue that's a pretty big problem), so he made it even more obvious to the entire community and some people are putting him down for it. Absolute joke.

Marco Pivetta

Wow, now really, how much will it take to have also a register_globals -like functionality? =)
Seriously rails? :|

default

@Ocramius and @others:
register_globals and magic_quotes are deprecated and have been removed in latest versions of PHP, so you don't shine and unless you're being vaguely sarcastic, you show you lack skill.

Marco Pivetta

@rishta you don't say? :D

pwlin

@rishta
Your comment lacks a certain level of understanding the joke.
Of course they are deprecated, because PHP - by design - is no more vulnerable to this sort of attacks. That was the whole point.
By not fixing these holes in a default installation, RoR now scores even lower than PHP of 5 years ago.

Joel Berger

@github, pretty please is there some way to turn off notifications from this thread without turning off all commit comment notifications?

Michal Gebauer

If PHP code is producing errors with register_globals on you are terrible terrible programmer. If you are using magic_quotes you are simply stupid.

Matthew Johnston

If PHP code is producing errors with register_globals on you are terrible terrible programmer. If you are using magic_quotes you are simply stupid.

But I like magic! David Blaine is soo cool

Aleksey V. Zapparov
ixti commented on b839657 March 06, 2012

@jberger I use Firebug: $('.del a').click() on notification page to get rid of approx 10 messages per hour from this thread :))

Mike Liu

wow

Dreamr

Welcome to Rails :) If you aren't using attr_accessible Santa kills 3 kittens for every vulnerable model.

Grant Galitz

</thread>

He can hack...but can he spell?

Mithgol

@dreamr

Santa kills 3 kittens for every vulnerable model

In this case there was a dead octokitten.

Akhil Wali

holy crap

Alexey Palazhchenko

I guess you should do the same in Russian then. ;)

Голос перегиба мой юмор не очень хорошо переведены на русский ;)

Kevin Postal

Pagination for the win..

Egor Homakov

@larzconwell
1 there is 'mark all as read' button on notif. tab
2 Why you think clearing messages should help. I am 100% sure they have table for participating users and you will be there FOR EVERS

Kevin Elliott

Damnit, can't I go one day without having to see Michael Jackson?

Gabriel Mazetto

Epic commit is epic!

Dalibor Filus

Why I still get notifications about this thread when I unsubscribed few days ago and according to the bottom of this page they are properply off? :/

Bohdan Makohin

Рейлз розробник: секюріті? нє, не слихал!

(ukrainian)

Mithgol

@NoICE

Why I still get notifications about this thread when I unsubscribed few days ago and according to the bottom of this page they are properly off? :/

Check the «Comments after me on commits» setting in your Notification Center.

Dalibor Filus

@Mithgol thanks!

Johannes Fahrenkrug

Wow, all these animated gifs make me feel like I'm on a 1996 Geocities page.

Marco Pivetta

@jfahrenkrug that's exactly what they're meant for... We're commenting on 1996's web applications' security issues :D

Ruslan Khamidullin

Хомяков Ты крут )

Александр Костриков

Действительно, не очень

Vasili Kachalko

Да, чувак, с русским у тебя проблемы) # yeah, dude, you've got some problems with Russian :)

何旭东

有意思

ArBing
arbing commented on b839657 May 23, 2012

好欢乐呀

Alexey Plotnik

Egor Letov live!

liang

万火留= =

Frank Su

已火留。。。

Please sign in to comment.
Something went wrong with that request. Please try again.