Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Showing with 3 additions and 0 deletions.
  1. +3 −0  hacked
3  hacked
@@ -0,0 +1,3 @@
+another showcase of rails apps vunlerability.
jsauve added a note

He can hack...but can he spell?

AlekSi added a note

I guess you should do the same in Russian then. ;)

jsauve added a note

Голос перегиба мой юмор не очень хорошо переведены на русский ;)

Действительно, не очень

Да, чувак, с русским у тебя проблемы) # yeah, dude, you've got some problems with Russian :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+Github pwned. again :(
+will you pay me for security audit?

254 comments on commit b839657






Since you can commit to master, you could just fix the vulnerability :)
Also, Rails is open source - you get it for free, why not make it better for free as well?


relevant: #5228


Not sure if this is the best way to prove your point :rage:


@brookemckim sorry if it looks stupid.:(

@tadast I was going to! But I 'm not done yet :trollface:


Nice find, thanks for pointing this out. Need to be more cautious about XSS and mass-assignment

@brookemckim would you have listened if he didn't?


If everyone is doing it wrong, there is enough reason to fix it through more restrictive defaults. imho.


If everyone is doing it wrong, it's just a reason to read documentation.


You don't get better trolling than this.


I doubt that Github failed at "reading the documentation". If Rails is so serious about providing the best tool to developers and it's conventions being the best practice, then it's important that the framework establish a convention of more strict security by default.


Nice catch haha!


Good catch and let's hope this gets addressed.


We've patched and fixed this on GitHub.


:+1: @holman.

but who knows how many apps have this issue and don't even realize it. :(


Love you @holman


@holman Has this been fixed in Rails upstream? If not, did you guys send a pull request?


@holman Pretty fast response for a Sunday morning. Do you mind sharing some details of the patch? Was it Rails related?


@filipeamoreira Probably just missing attr_accessible, see: #5228


@filipeamoreira, hands related :)


This is not something that's really "patchable", it's an issue with misinformation. If we all went with the most restrictive settings for mass assignment, then the issue would go away. The problem is that, it's not set to the most strict by default, nor is it as strongly urged (in documentation for example) as it could be. With so many new programmers and novices using Rails, it makes sense to be a little bit more novice-proof and security conscious by default, and make the model generators and default model require you to whitelist accessible attributes.


I would like to see all the attributes thrown into attr_protected by default and I will manually specify attr_accessible on each of my models. Makes me happier this way.


@jacortinas how long before we have magic quotes then? :)


@scomma I understand the concern, I don't want that kind of all-encompassing mess either. :\

Django avoids things like this by establishing the idea of form classes, which is honestly a great way of doing things. What is submitted in forms may not, and should not be exactly what goes into your models. @wycats gist for a fix is an idea that's very similar. Input handling is not really the responsibility of the model, but of the gateway class that accepts the input.


One more reason to not use rails. I'll add it to my huge list.


@monokrome show me a perfect framework/language


I was wondering when this would descend into memes.


When did we get emoticons and gif embedding? This feels like tumblr. (I want the emoticons... please?)




Can anyone point me to a widely used framework which does not have this issue?

If the mass-assignment problem doesn't exist, it's because there is no mass-assignment, and that's not a framework I am particularly interested in using.


Have you read your SICP today?


Why did you terminate @homakov account? -_-
He benevolently pointed out a vulnerability. Way to piss people off who are trying to be your friends...


@Tie-fighter what evidence do you have that his account was terminated?


@chrisrhoden imho it's not about the framework. It's about the handling of an issue. Every framework, language, app has bugs. One of the strenght of a project/community is to deal with it. Before smuggeling a commit into the rails repo, homakov opend an issue but that was imho harshly closed with a "not our problem" reply ignoring the underlaying problem.

That's probably the reason why he tried to get more attention on this issue which was very successfull with this commit...

Now it's time to go back to something productive and deliver concepts and code.
For example @wycats proposal at


@chrisrhoden mass assignment doesn't need to be removed - the issue is that it's the default - and it's so easy to not lockdown a resource that Github managed to miss it.

If they're going to miss it then you can bet there are 1000s apps out there that are open.

@homakov's additional point that created_at should not be writeable is valid too (certainly in production).


@chrisrhoden He told me so...
@DouweM But he did not mean to harm anybody, such things can happen by accident...


@Tie-fighter He had to type this commit and those posts, didn't he? Unless he was sleepcoding, there's no way this was an accident. And even if it was, it doesn't matter; he still did it. I would expect nothing less of GitHub than to ban him. He should just have tested this which repos of his own, and after finding the vulnerabilities he should have submitted a prober bugreport to GitHub.


@DouweM sure. And the next one who finds a security exploit and get's ignored will sell the exploit straight to the bad guys... do you prefer that?


@rmoriz He was ignored by the Rails core team when he reported on attributes not being protected by default. I don't believe he has said anything about the GitHub team ignoring his bug reports, if there were any at all.

And you're viewing this awfully black-and-white, as if the only two options are "act on found vulnerabilities" and "sell exploits to the bad guys."


He's been trying to get people to take this issue seriously for several days now, with "opinionated-software" coders calling him a troll. Good for him for harmlessly driving his point home and hopefully changing some opinions about rails defaults.


@DouweM don't be that rude. The post he deleted was while he was testing... he just showed us what can be done in github. Just showed us the vulnerabilities. He could done anything worst...


@DouweM: "DAMN. dude, sorry for wiping your post :( Sorry, I was 99 percent sure github at least checks for owner... but He doesnt :("
Wow, sounds like a very bad person to me to...

So instead of saying "Thank you for helping us improve" you teach him to keep his mouth shut when he finds a vulnerability (so it does not get fixed and others can exploit it in harmfull ways)."
Good idea? Think about it...


@bashcoder I am definitely for changing the defaults as far as protected attributes is concerned, but he didn't have to act on those found vulnerabilities.

@vanhalt @Tie-fighter Well, I'm just saying he should have tested it on comments of his own, for example. He didn't need to do so on some innocent guy's posts.

@Tie-fighter I'm not saying he should keep his mouth shut, I'm saying he should report this to GitHub, and only make it public after it had been fixed, so no-one else could exploit it. I'm pretty sure that's common practice, when big vulnerabilities in widely used software are found.


@lucianosousa Who cares about a perfect one? How about one that works without arguing with it all day? :D


If his account has been deleted after failing to get someone to listen to the issue for 3 days - and then safely demonstrating the exploit in the open:

1) That's an outrage

2) It does nothing to encourage people to report issues in a constructive way and everything to encourage people to use exploits maliciously


He did the commit 3 hours ago... and got fixed 2 hours ago ¬¬ come on!


I know this is not my website, my project, my problem... but I think you should reward him instead of punishing him.

If it were though, I would even send him some money for doing the right thing (that is: not trying to sell the vulnerability for 10x the money he could make on a black market)


@rmoriz I don't think everyone prefers that, but I don't think he had done a right thing as well.

  • For Ruby on Rails, if there's a security bug he should do according to this:
  • For GitHub, I believe the best way to do is create a repository and reproduce the problem in the isolation, then report a bug using "Contact and Suport" section, not just publicity running around and perform those stuff that @DouweM mentioned.

Me, for once, if I found a venerability or insecure part I would be sending a report to that site's owner. Just trying to reproduce a bug to get a publicity is just like being a jackass and childish. Then, after the bug was fixed, I think he can raise awareness by creating a blog post and tell people that he/she should whitelist their attributes. That is the smart way to handle it.


I'll agree that he probably shouldn't have been banned just like that, my saying that I expected nothing less of GitHub was a bit of a knee-jerk reaction.

Of course what he did, namely act on the found vulnerabilities in the open, is to be preferred over selling it to "bad guys," and while I applaud him for that, he should just have let GitHub know about it first, and there's currently no reason to believe he did so. He was ignored by the Rails core team, not by GitHub as far as we know! The Rails core team should definitely have listened to his concerns, but it's not like he told them of the vulnerabilities uncovered today and they ignored that.


@sikachu It looks like we're on the same page here.


... and I believe doing those exploit publicity before telling GitHub is violating section A.8 of ToS, am I right?

You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).

I believe he's unauthorized to post as DHH. I believe he's unauthorized to commit to a repository he doesn't have access to.


@sikachu that's YOUR smart way to handle it...


@sikachu Well then they should change their ToS.
P.S.: And start a reward program for reporting serious issues.


@Tie-fighter That's the thing: he should have reported, not exploited. What if everyone at GitHub had had a day off today? GitHub would be open to be exploited by anyone. He would've been able to get his point across just as well, were he to post a blogpost on this tomorrow, after the vulnerabilities had been fixed.


@DouweM: He did not exploit it. How come? Do you know how he did it? Can you reproduce it?


@Tie-fighter How is deleting posts, posting as other people and commiting into repos you're not allowed in not exploiting vulnerabilities? Sure, he didn't do any real harm (except to the deleted post), but IMO the right course of action would have been to report this stuff to GitHub, and only announce it to the public after GitHub had had time to fix it. I can't think of a single way in which what he did was a "better" thing to do.

And you're asking if/how I know how he did it? Read through his last couple of posts, it's pretty clear he's exploiting models where GitHub forgot to protect attributes for mass-assignment by defining attr_accessible/attr_protected. And no, I can't reproduce it as GitHub fixed it pretty quickly after the commit we're now commenting on was pushed.


It is really disappointing that here goes discussion about his personality and some even try to judge him instead of focusing on the problem he showed.


@DouweM I would consider that a proof of concept.
Ah, but didn't he post an issue for that?

@abuffy full ack!

I, for one, am very disappointed by github and consider canceling my subscription :(
P.S.: And if I do so, I will send him 1 year worth of subscription fees.


@abuddy I think that's because most people realize it's a stupid oversight on GitHub's part, but also one that's understandable to some extent, seeing as it's made way too easy by Rails to just define models (via a generator for example) and have the models be completely open for mass-assignment. GitHub fixed it, Rails's attribute protection defaults should be reevaluated and... anything to add?

Yes, I'm disappointed that GitHub made such an obvious mistake, but I'm more concerned over all the other sites that have this vulnerability, caused in the first place by Rails defaults, not stupid developers.

@Tie-fighter He posted an issue about Rails mass-assignment attribute protection defaults, which they ignored/dismissed, which they shouldn't have. The first thing he did when he found vulnerabilities in GitHub, on the other hand, seems to have been exploit them, not report them.


@DouweM He did not exploit anything. Please realize that.


@Tie-fighter Could you explain what you mean by that? In my understanding, exploiting is making use of found vulnerabilities. That's what he did.


@DouweM Aren't you glad though, at some level, that the issue was exploited in such a public way as to get everyone's attention? In terms of getting the message out there and inflicting a sense of urgency, I can't really imagine a better scenario than this. The cat was already out of the bag as the bug was reported days ago. But now people will have to take it seriously.


@DouweM I think exploiting is (in this context) when you use a vulnerability to ("to" as in "on purpose, not by accident or carelessness") achieve a personal gain or inflict a loss on somebody else. I consider what he did is a proof-of-concept, he demonstrated the vulnerability (doing so without using the exploit is impossible (and doing so does not constitute malevolence)).


@joshbuddy Yes, he definitely got a lot of attention for the problem this way, and that's absolutely a good thing: more people should know about vulnerabilities caused by Rails mass-assignment attribute protection defaults, and people should definitely know a site the size of GitHub had such big and obvious vulnerabilities.

I just think it was a bit of an assholeish/childish move to do it like this. In the end I prefer it happening this way to it not being seen by the public and it being covered up by GitHub or whatever, so I guess ultimately I am glad this is how everything turned out, but I don't like that @homakov did it like this. I'm aware I'm not doing a very good job at making myself clear.


@Tie-fighter In my opinion it would have been a proof-of-concept had he done it with repos of his own and comments of his own. The moment he started affecting other people (the user that posted the comment he deleted, the user who he posted as (@dhh) and the admins and other users of the repo he hijacked) it became exploitation. The user, @dhh, the Rails core team and all the people who care about the rails/rails repository are innocent in GitHub's forgetting to protect its attributes.


@DouweM I'm not gonna force you to try to express yourself too clearly. It's obviously a pretty murky issue, so, hard to come to a clear point on it. In my mind, there are a lot of Rails sites out there, I mean, lots. Someone's gotta wake em up.


So what are you going to do Github?


@joshbuddy Which is why I'm happy it happened this way, but I cannot agree with @homakov's actions, even though I do see the merit in the outcome.


In #5228 he told about vulnerabilities but no one fixed it. so he wanted more attention on this problem.


@DouweM But if it were his own repositories and posts he would be allowed to delete and commit...
And if he created a second account we would have probably violated the ToS as well and somebody would hang him for that...
dafuq dude :(



@Tie-fighter I'm not so much concerned over violating the ToS, I'm concerned over all the innocent people that got hurt, albeit ever so slightly :p I think he should just have created a second account and tested everything that way. I'm sure they would've forgiven him for creating a second account had he just reported his findings afterward.

@MechanisM Ah you're right, he did show 2 days ago that he had found at least one vulnerability. There's no indication he told GitHub about it though, he was trying to get the attention of the Rails core team to change the default for mass-assignment attribute protection, which I definitely agree with.


What would seem to be going on here, is that he was banned because github feels humiliated about what happened here (see how popular this is on Y combinator's hacker news?), and is reacting emotionally or trying to save face at the expense of the truth.

It's nearly impossible to argue that what homakov did was more harm than good for the developer community. This looks like a cut and dry political move by GitHub of villifying somebody who has demonstrated your weakness in a way to downplay your own responsibility.

I think what happened here is even preferable to it going through the reported channels, and silently being fixed, without attention being drawn to the larger issue here (i.e. rails security). Good for you, homakov, don't let anybody take out their defensiveness over their coding incompetence on you.


I congratulate @homakov for finding this vulnerability, and @bashcoder for taking him seriously. I also think, however, that it was right to terminate his account. He violated GitHub's ToS. While he was trying to help GitHub with their vulnerability, it is nearly never a good idea to screw with the application in the process.

EDIT: His comment ("DAMN. dude, sorry for wiping your post :( Sorry, I was 99 percent sure github at least checks for owner... but He doesnt :( What a bug-day") clearly indicates his non-malicious behavior. It's more like reaching out and seeing what he can do than wrecking the site. Go easy on the man.


@tekknolagi I agree with everything you said there.


Can he please have his account back, @holman ?


I didn't see a Goatse on Github, I want my money back. If you're going to exploit or at least prove a point, Goatse is the way to go.


@totseans That's just gross.


@tekknolagi I'm not sure how that would look to people who haven't followed everything @homakov has said and done these last couple days, like we have since all this happened. He broke into the Rails repository and was not even suspended?!


Back to real life: If your rails app is cracked, your customer WILL NOT ask the cracker for consulting or a vCard, they will call you and blame You. This guy did nothing wrong, he raised a red flag, got called a troll for his troubles, then demonstrated the problem, and is now getting beat up. He could have done so much worse...


@DouweM I've done my fair share of nefarious deeds, and was not punished solely for the fact hat I overall increased the security. I'm a white hat. He's... grey, since it's kind of undetermined, but he's not fucking anyone over.


@tekknolagi Not really, depends on which side you're from. It would be funny and shocking.


@totseans I'm getting the impression that @homakov isn't that sort of person.


Egor's Octocat Tattoo
"I survived the githubpocolypse of 2012"


Yes, it was impolite and unnecessary from @homakov. But he's a young, 19 years old guy. Don't kill his enthusiasm by punishing him too hard :)

On the other hand I also understand how GitHub got pissed when a 19 year old messed around with their multimillion user service by editing HTML in WebInspector... :trollface:


@Tadast :+1: and I feel like that's all I'm doing on this thread. Agreeing with people... o.O

Zach, have a heart :)


@tadast I completely agree!


To clarify: The guy with the github tattoo is @homakov ...
How awesome is that!?! :)



Just having an email conversation with @homakov, and here's what he responded:

"I was very curious about that bug. Just mad. I tested sites and most of them god kind of that vulnerability. I was mad that people ignore that bug and statrted checking github just adding inputs to forms. It worked. I coulndn't just stop but anyways I WROTE to support right after finding my first vulnerability. Github was silent."

Does he seem malicious? No. Black hat in any way? No.

He just wants it fixed now.



@homakov is an impatient little fuck who needs to be put to death.


@tekknolagi Well, in that case: @homakov If you're reading this, I'm sorry for and take back the harsh things I said about you, I was too quick to judge and I applaud your efforts to get attention for this big issue!


@larzconwell Yes, the trollfaces were a tad childish, but if committing to Rails got attention, then it was worth it.


@tanepiper Not necessarily hire, but definitely contract him as a white hat.


@homa-kov will be posting, and that is the man himself. Verified.


I still would prefer seening a Goatse Tatoo.


Нихерсе О_О


sup /github/


@Lockal your picture made my mood +100 thanks

So, what's up? I am jerk and bastard, is it your conclusion? :)


Are GitHub users really this juvenile? GitHub administrators? Guys, please act like the adults you are.


@tadast hilarious :) smart humor +1


The github admins should be mad at their engineers for not fixing a massive security hole in their site, not the guy who called attention to it in a non-damaging way when his bug report was ignored. The approach to handling this that github employees have used is not only counter productive, its unbelievably childish.


IMHO Github is not really coming out of this very well.


If github wasn't immune to this issue, is it realistic to expect other rails deployments to be savvy about this kind of thing?


@rainyday +1

He could made really bad things - without making "any noize". Instead he just alarmed the REAL BIG SECURITY problem in a really kind way IMHO.


anyway, whats the point of suspending @homakov?


@sysprv - exactly - this completely debunks the arguments made against @homakov over the past few days. The 'newbie' argument falls flat when an elite group of coders can so easily fall prey to this issue. Meanwhile, rails takes credit for handling cross-site-scripting, sql injection and other "newbie mistakes."

No matter what anybody says, this is a "call-the-neighbors-and-wake-the-kids" kind of issue. It will be interesting to see how many gems get updated this week.


@sysprv It's absolutely not. One of the reasons people use frameworks in the first place is because this type of thing is supposed to be done for you minimizing the chance of human error. Github COULD have found this on their own but I don't think they are the ones to blame here. The problem is how they responded. Most software has bugs, what matters is how you respond to them and the Rails team and github have done pretty much everything wrong on that front.


Is he actually suspended? His account looks up to me.


@klondike He just can't log in.


I'll just add a couple of points, in case this is still relevant:-

  • Regardless of whether you think Rails should handle this differently, this is not a "0 day attack" or an exploit of a "Rails security hole". The mechanism to secure Github is there without any code changes to Rails, which is how Github could fix it within minutes. Exploiting a vulnerability and violating a site's TOS, at least as far as keeping one's account privileges, is a really serious action that requires serious justification. If this were actual 0day, it might plausibly be defensible, depending on the circumstances.

  • Rails has chosen a pattern which makes it more likely that even a foundational Rails site built by some of the most experienced Rails developers in the world is susceptible to unauthorized data entry. This is an obvious problem, and it reflects poorly on the Rails development team that they wouldn't take it seriously up until now. It's hard to get away from the feeling that as experienced Rails devs themselves, they simply could not empathize with the broader Rails community and chose to blame any vulnerabilities on the incompetence of individual developers.

There is a problem here, but vilifying the Rails framework as having an 0day flaw, or heroizing @homakov for sticking it to the Rails team, are both wrong. It's not black and white, and all we can do is take the conversation to the Rails core team to figure out where to go from here. @wycats is trying to start that process now.

How Github deals with @homakov's account is entirely up to them, and they're well within their rights to terminate his account.


+1 Django


I wouldn't have asked for money off the bat like he did. But I don't see anything wrong with his approach. He probably saved Github from some serious issues down the road (someone would have figured this out).



@github should hire @homakov

If I were @homakov, I'd decline. The only GitHub's office is in San Francisco, and I guess he'd remember the United States v. ElcomSoft and Sklyarov case. And the fact that Robert S. Mueller is currently Director of the FBI.

Right now any IRL step on U. S. soil probably means @homakov jailed. He probably should also avoid proximity to U. S. vessels, diplomatic missions and other more or less exterritorial objects within his home city.


if i were github, i'd send this guy truckloads of flowers, booze and money for saving their asses. if @homakov sold that exploit on a blackhat market, github -- and its paying customers -- would be in some really deep shit, maybe even on the brink of bankrupcy (imagine all the lawsuits for private code stealings). so, this man is a hero and should be treated like one.

now's the time to get some sleep in my timezone, but i expect the upcoming monday to be pretty shitty for many maintainers of rails apps that also sport similar security hole. i'll start the day with checking my own apps for this, actually.


So.. I still don't see Goatse. Anyway, I guess at this point everyone should be A) backing up their code B) protecting it C) nailing Github ass D) Helping @homakov out.


@klondike Of course Github has the right to ban @homakov, claiming otherwise would be absurd. Banning white-hat hackers sends the message that you're more concerned with saving face than actually fixing things and a company whose entire userbase is made up of developers should know better.


NEWSFLASH: @homakov found to be github "plant" so free users upgrade to paid plans! Details @ 11! :-)


haha - yeah, well, this paid plan customer just typed this command: git clone git://


Jose Valim quits and the neighborhood goes to hell. :smile:


@ElDeveloper adding fields on form in firebug don't make him a cool specialist.


Github is so much fun today! Epic commit btw!


All in favor of Egor. Thanks for pushing github to be a better platform.


And btw lol @ all the meme stuff... Waiting for some Bear Grylls...




Freedom! Next time my tattoo is gonna be real! :3




lol.... Egor++


@homakov congrats for your freedom!!


@homakov you got your account back. Github +1.


@tomash, agree 100%. Can you imagine what he would have gotten from the black market!?!?! If someone walked up to you and said: you can have $1M and no one will know, or you can make a couple jokes and then hellfire and brimestone will rain down on you for making the right choice, what would any of you have done?


I agree with gitmonster. I'm glad this got resolved as quickly as it did.


@KenanY that had me laughing like a fool out loud. Nice


Glad this issue is now resolved. Back to work!


Oh well, back to work.


Welcome back @homakov. FWIW you got your message across. Not sure you could have done it any other way. Take this as a lesson all you devs, take all your bug reports seriously.


@gitmonster +infinities and also @DouweM and @tekknolagi

Most comments are completely childish. I've been on both sides of the equation and believe me, mature people deal with this in a much cleaner way. Lot's of people find vulnerabilities bigger than this EVERY day. You just don't hear about them because they are quiet and respect the rules of engagement in Security: report and wait ENOUGH time (not just hit a huge website with a huge bug and expect it to be fixed immediately! Which they did, BTW, huge kudos to Github for their amazing response...)

Having read a lot on this issue, I'm certain @homakov tried to do The Right Thing (TM) and he just messed up due to inexperience and the kind of light-minded attitude that we all have had when we were young. I'm also sure he has learned a big lesson today and all his 0day vulnerabilities will be properly reported from now on instead of breaking hell loose on a Sunday evening.

Thanks @homakov, the Github team and everybody involved in the fixes!


And now people, LEARN how a good company behaves during such tough times. Please, read the official story of what happened:


I really enjoyed reading this comments, I love open source projects \o/


Well, I take back what I said, Github seems to be handling this admirably. At least in the end.


@homakov is symbol of freedom! Thank you! @php_peru is with you!


No harm no foul, I suppose. Real hacking is always playful!

Fascinating to watch the evolution of this bug (if you look at the tickets, and the tickets which that ticket references) - rail's aim to be easy for beginners has becoming a stumbling point even for the most advanced experts.

+1 for the hack, +1 for GitHub for being so sensible about this. (+1 when Rails changes the default?)


-1 for GitHub's lack of humility about all this. I sincerely hope they are doing a little more for @homakov than just giving him back what he had before. He really did them a big favor.


lol wow


@rmoriz Oh gosh that caught me by surprise.


well done


A solution to a more obscure problem related to the "vulnerability" of mass assignment:


After reading through the bug history, I'm glad @homokov persisted. People simply weren't taking him seriously. It looks pretty bad in retrospect.


Off topic: how can I disable all types of notifications coming from this commit? I have done so for email notifications for this commit, but I would also like to stop receiving tons of notifications via GitHub's interface. Anyone know how? Thanks.


@Apelsin right below the comment box at the end of this commit, there is a link to disable email notifications for this commit.


Actually, this one is hacked by Lei Feng from China.

                                                   Mar 5 2012

Shit I'm using @github and @rails right now.
=> Now I have to spend the whole week to move our enterprise code to PHP and CVS.


Чикей, все правильно сделал. Роисся гордится тобой :D


@jacortinas Please re-read what I wrote. I just said I did that already and what I am asking for is how to disable ALL notifications for THIS commit.


Just see the 5th comment in front of this one LOL~~~


make word better you can.


oops! this is not so nice to heard! :@


I write in epic thread


With that, all those "node.js community is so immature" phrases come to my mind. Seems like there are more of these ...


Rails is PHP in disguise?


put this in your initializer and forget all about it:

ActiveRecord::Base.send(:attr_accessible, nil)

put this in your php.ini and forget all about it:

register_globals = Off


Only CoffeScript allowed :P


I wonder how many bugs like this are in githubs (and my) code. What about subscriptions for example...


there are no kittens in this thread



Wow amazing thread! even If I'm not a Rails developer!

 _____ _   _ _____    ____    _    __  __ _____ 
|_   _| | | | ____|  / ___|  / \  |  \/  | ____|
  | | | |_| |  _|   | |  _  / _ \ | |\/| |  _|  
  | | |  _  | |___  | |_| |/ ___ \| |  | | |___ 
  |_| |_| |_|_____|  \____/_/   \_\_|  |_|_____|

lol gg


OMG GitHub has turned into Reddit/2+2...




I hereby associate myself with this epic commit thread.



Congrats on unbanning yourself!

PS- can you upgrade my account? Thanks!


This is not a design problem... of the architecture, but that of the default policy making assignment implicit AND of the user (github) not being security conscious enough. And since github was informed about the status quo it's its sole responsibility for being hacked and they were IN LUCK that it wasn't someone malevolent. Committing to main branch guaranteed speedy alert of the resposible personnel and patch fixing all apps hence.


@homakov "get account back" - is nice reward. Congrats! :trollface:




@grantgalitz Exactly. This is a place for coders to get things done. Go back to Reddit and 4chan if you want meme pictures and let the men and women do work.


Oh please... get over yourselves.

GitHub is one of the greatest things ever created.

Rails, however... not so much.


@gfosco I can't agree more... stupid Rails. Powered Rails on the other hand, they are pretty awesome, but you do need to get a lot of gold.


When you commit in master, the terrorists win!


use, it finds mass assignment vulnerabilities pretty darn well




good job mate :)
you did the right thing in my opinion. no harm done but great way to get attention for a critical issue


@oreoshake awesome tool +1


@Petah what were you thinking?


What an interesting discussion. Point of the matter is - the guy pointed out a vulnerability, some people decided it should be ignored (being a security issue that's a pretty big problem), so he made it even more obvious to the entire community and some people are putting him down for it. Absolute joke.


Wow, now really, how much will it take to have also a register_globals -like functionality? =)
Seriously rails? :|


@Ocramius and @others:
register_globals and magic_quotes are deprecated and have been removed in latest versions of PHP, so you don't shine and unless you're being vaguely sarcastic, you show you lack skill.


@rishta you don't say? :D


Your comment lacks a certain level of understanding the joke.
Of course they are deprecated, because PHP - by design - is no more vulnerable to this sort of attacks. That was the whole point.
By not fixing these holes in a default installation, RoR now scores even lower than PHP of 5 years ago.


@github, pretty please is there some way to turn off notifications from this thread without turning off all commit comment notifications?


If PHP code is producing errors with register_globals on you are terrible terrible programmer. If you are using magic_quotes you are simply stupid.


If PHP code is producing errors with register_globals on you are terrible terrible programmer. If you are using magic_quotes you are simply stupid.

But I like magic! David Blaine is soo cool


@jberger I use Firebug: $('.del a').click() on notification page to get rid of approx 10 messages per hour from this thread :))




Welcome to Rails :) If you aren't using attr_accessible Santa kills 3 kittens for every vulnerable model.



Santa kills 3 kittens for every vulnerable model

In this case there was a dead octokitten.


holy crap


Pagination for the win..


1 there is 'mark all as read' button on notif. tab
2 Why you think clearing messages should help. I am 100% sure they have table for participating users and you will be there FOR EVERS


Damnit, can't I go one day without having to see Michael Jackson?


Epic commit is epic!


Why I still get notifications about this thread when I unsubscribed few days ago and according to the bottom of this page they are properply off? :/


Рейлз розробник: секюріті? нє, не слихал!




Why I still get notifications about this thread when I unsubscribed few days ago and according to the bottom of this page they are properly off? :/

Check the «Comments after me on commits» setting in your Notification Center.


@Mithgol thanks!


Wow, all these animated gifs make me feel like I'm on a 1996 Geocities page.


@jfahrenkrug that's exactly what they're meant for... We're commenting on 1996's web applications' security issues :D


Хомяков Ты крут )






Egor Letov live!


万火留= =




What if someone introduced very hard to detect vulnerabilties in popular software packages and libraries by altering commits long ago in the history of the projects?

We'd never know.

What if this has already happened?


Git is not centralized, everybody will notice that once he/she try to push to the repo since the SHA will not match.


@dandv Man, I'm seeing you everywhere.

@seuros is right, though. You can't pull from a repository with altered commit history without huge flames and explosions.

Please sign in to comment.
Something went wrong with that request. Please try again.