Skip to content
Permalink
Browse files

wow how come I commit in master? O_o

  • Loading branch information
homakov committed Mar 4, 2012
1 parent 4d391a4 commit b83965785db1eec019edf1fc272b1aa393e6dc57
Showing with 3 additions and 0 deletions.
  1. +3 −0 hacked
3 hacked
@@ -0,0 +1,3 @@
another showcase of rails apps vunlerability.

This comment has been minimized.

Copy link
@jsauve

jsauve Mar 8, 2012

He can hack...but can he spell?

This comment has been minimized.

Copy link
@AlekSi

AlekSi Mar 8, 2012

I guess you should do the same in Russian then. ;)

This comment has been minimized.

Copy link
@jsauve

jsauve Mar 8, 2012

Голос перегиба мой юмор не очень хорошо переведены на русский ;)

This comment has been minimized.

Copy link
@akostrikov

akostrikov Mar 29, 2012

Действительно, не очень

This comment has been minimized.

Copy link
@dreamfall

dreamfall Mar 29, 2012

Contributor

Да, чувак, с русским у тебя проблемы) # yeah, dude, you've got some problems with Russian :)

This comment has been minimized.

Copy link
@andreiglingeanu

andreiglingeanu Oct 13, 2017

probably because github's using rails internally

This comment has been minimized.

Github pwned. again :(
will you pay me for security audit?

262 comments on commit b839657

@jjmaestro

This comment has been minimized.

Copy link

@jjmaestro jjmaestro replied Mar 5, 2012

@gitmonster +infinities and also @DouweM and @tekknolagi

Most comments are completely childish. I've been on both sides of the equation and believe me, mature people deal with this in a much cleaner way. Lot's of people find vulnerabilities bigger than this EVERY day. You just don't hear about them because they are quiet and respect the rules of engagement in Security: report and wait ENOUGH time (not just hit a huge website with a huge bug and expect it to be fixed immediately! Which they did, BTW, huge kudos to Github for their amazing response...)

Having read a lot on this issue, I'm certain @homakov tried to do The Right Thing (TM) and he just messed up due to inexperience and the kind of light-minded attitude that we all have had when we were young. I'm also sure he has learned a big lesson today and all his 0day vulnerabilities will be properly reported from now on instead of breaking hell loose on a Sunday evening.

Thanks @homakov, the Github team and everybody involved in the fixes!

@jjmaestro

This comment has been minimized.

Copy link

@jjmaestro jjmaestro replied Mar 5, 2012

And now people, LEARN how a good company behaves during such tough times. Please, read the official story of what happened:
https://github.com/blog/1069-responsible-disclosure-policy

@m3nd3s

This comment has been minimized.

Copy link

@m3nd3s m3nd3s replied Mar 5, 2012

I really enjoyed reading this comments, I love open source projects \o/

@rainyday

This comment has been minimized.

Copy link

@rainyday rainyday replied Mar 5, 2012

Well, I take back what I said, Github seems to be handling this admirably. At least in the end.

@cordoval

This comment has been minimized.

Copy link

@cordoval cordoval replied Mar 5, 2012

@homakov is symbol of freedom! Thank you! @php_peru is with you!

@Miserlou

This comment has been minimized.

Copy link

@Miserlou Miserlou replied Mar 5, 2012

No harm no foul, I suppose. Real hacking is always playful!

Fascinating to watch the evolution of this bug (if you look at the tickets, and the tickets which that ticket references) - rail's aim to be easy for beginners has becoming a stumbling point even for the most advanced experts.

+1 for the hack, +1 for GitHub for being so sensible about this. (+1 when Rails changes the default?)

@chkn

This comment has been minimized.

Copy link

@chkn chkn replied Mar 5, 2012

-1 for GitHub's lack of humility about all this. I sincerely hope they are doing a little more for @homakov than just giving him back what he had before. He really did them a big favor.

@totseans

This comment has been minimized.

@coderjonny

This comment has been minimized.

Copy link

@coderjonny coderjonny replied Mar 5, 2012

lol wow

@KenanY

This comment has been minimized.

Copy link

@KenanY KenanY replied Mar 5, 2012

@rmoriz Oh gosh that caught me by surprise.

@banacorn

This comment has been minimized.

Copy link

@banacorn banacorn replied Mar 5, 2012

well done

@rafaelp

This comment has been minimized.

Copy link

@rafaelp rafaelp replied Mar 5, 2012

A solution to a more obscure problem related to the "vulnerability" of mass assignment:
https://gist.github.com/1976687

@emwalker

This comment has been minimized.

Copy link

@emwalker emwalker replied Mar 5, 2012

After reading through the bug history, I'm glad @homokov persisted. People simply weren't taking him seriously. It looks pretty bad in retrospect.

@Apelsin

This comment has been minimized.

Copy link

@Apelsin Apelsin replied Mar 5, 2012

Off topic: how can I disable all types of notifications coming from this commit? I have done so for email notifications for this commit, but I would also like to stop receiving tons of notifications via GitHub's interface. Anyone know how? Thanks.

@jacortinas

This comment has been minimized.

Copy link
Contributor

@jacortinas jacortinas replied Mar 5, 2012

@Apelsin right below the comment box at the end of this commit, there is a link to disable email notifications for this commit.

@i3zhe

This comment has been minimized.

Copy link

@i3zhe i3zhe replied Mar 5, 2012

Actually, this one is hacked by Lei Feng from China.

                                                   Mar 5 2012
@sleeptillseven

This comment has been minimized.

Copy link

@sleeptillseven sleeptillseven replied Mar 5, 2012

Shit I'm using @github and @rails right now.
=> Now I have to spend the whole week to move our enterprise code to PHP and CVS.

@thers

This comment has been minimized.

Copy link

@thers thers replied Mar 5, 2012

Чикей, все правильно сделал. Роисся гордится тобой :D

@Apelsin

This comment has been minimized.

Copy link

@Apelsin Apelsin replied Mar 5, 2012

@jacortinas Please re-read what I wrote. I just said I did that already and what I am asking for is how to disable ALL notifications for THIS commit.
Thanks.

@jacortinas

This comment has been minimized.

Copy link
Contributor

@jacortinas jacortinas replied Mar 5, 2012

@hzlzh

This comment has been minimized.

Copy link

@hzlzh hzlzh replied Mar 5, 2012

Just see the 5th comment in front of this one LOL~~~

@bloodrizer

This comment has been minimized.

Copy link

@bloodrizer bloodrizer replied Mar 5, 2012

@feilaoda

This comment has been minimized.

Copy link

@feilaoda feilaoda replied Mar 5, 2012

make word better you can.

@harshadura

This comment has been minimized.

Copy link

@harshadura harshadura replied Mar 5, 2012

oops! this is not so nice to heard! :@

@milushov

This comment has been minimized.

Copy link

@milushov milushov replied Mar 5, 2012

I write in epic thread

@sleeptillseven

This comment has been minimized.

Copy link

@sleeptillseven sleeptillseven replied Mar 5, 2012

With that, all those "node.js community is so immature" phrases come to my mind. Seems like there are more of these ...

@bmjames

This comment has been minimized.

Copy link

@bmjames bmjames replied Mar 5, 2012

Rails is PHP in disguise?

@madsheep

This comment has been minimized.

Copy link

@madsheep madsheep replied Mar 5, 2012

put this in your initializer and forget all about it:

ActiveRecord::Base.send(:attr_accessible, nil)
@pwlin

This comment has been minimized.

Copy link

@pwlin pwlin replied Mar 5, 2012

put this in your php.ini and forget all about it:

register_globals = Off

@sleeptillseven

This comment has been minimized.

Copy link

@sleeptillseven sleeptillseven replied Mar 5, 2012

Only CoffeScript allowed :P

@daliborfilus

This comment has been minimized.

Copy link

@daliborfilus daliborfilus replied Mar 5, 2012

I wonder how many bugs like this are in githubs (and my) code. What about subscriptions for example...

@gugu

This comment has been minimized.

Copy link

@gugu gugu replied Mar 5, 2012

there are no kittens in this thread

kitten

@mininaim

This comment has been minimized.

Copy link

@mininaim mininaim replied Mar 5, 2012

Wow amazing thread! even If I'm not a Rails developer!

@gfosco

This comment has been minimized.

Copy link

@gfosco gfosco replied Mar 5, 2012

They Said

@simoncpu

This comment has been minimized.

Copy link

@simoncpu simoncpu replied Mar 5, 2012

 _____ _   _ _____    ____    _    __  __ _____ 
|_   _| | | | ____|  / ___|  / \  |  \/  | ____|
  | | | |_| |  _|   | |  _  / _ \ | |\/| |  _|  
  | | |  _  | |___  | |_| |/ ___ \| |  | | |___ 
  |_| |_| |_|_____|  \____/_/   \_\_|  |_|_____|
@wolfiestyle

This comment has been minimized.

Copy link

@wolfiestyle wolfiestyle replied Mar 5, 2012

lol gg

@wouteroostervld

This comment has been minimized.

Copy link

@wouteroostervld wouteroostervld replied Mar 5, 2012

OMG GitHub has turned into Reddit/2+2...

@lostinplace

This comment has been minimized.

Copy link

@lostinplace lostinplace replied Mar 5, 2012

upvote

@madirey

This comment has been minimized.

Copy link

@madirey madirey replied Mar 5, 2012

I hereby associate myself with this epic commit thread.

@paulwal

This comment has been minimized.

Copy link

@paulwal paulwal replied Mar 5, 2012

@homakov

Congrats on unbanning yourself!

PS- can you upgrade my account? Thanks!

@rishta

This comment has been minimized.

Copy link

@rishta rishta replied Mar 5, 2012

This is not a design problem... of the architecture, but that of the default policy making assignment implicit AND of the user (github) not being security conscious enough. And since github was informed about the status quo it's its sole responsibility for being hacked and they were IN LUCK that it wasn't someone malevolent. Committing to main branch guaranteed speedy alert of the resposible personnel and patch fixing all apps hence.

@MechanisM

This comment has been minimized.

Copy link

@MechanisM MechanisM replied Mar 5, 2012

@homakov "get account back" - is nice reward. Congrats! :trollface:

@chjohnst

This comment has been minimized.

Copy link

@chjohnst chjohnst replied Mar 5, 2012

quazy

@earlcochran

This comment has been minimized.

Copy link

@earlcochran earlcochran replied Mar 5, 2012

@grantgalitz Exactly. This is a place for coders to get things done. Go back to Reddit and 4chan if you want meme pictures and let the men and women do work.

@gfosco

This comment has been minimized.

Copy link

@gfosco gfosco replied Mar 5, 2012

Oh please... get over yourselves.

GitHub is one of the greatest things ever created.

Rails, however... not so much.

@gamaral

This comment has been minimized.

Copy link

@gamaral gamaral replied Mar 5, 2012

@gfosco I can't agree more... stupid Rails. Powered Rails on the other hand, they are pretty awesome, but you do need to get a lot of gold.

@CryptoJones

This comment has been minimized.

Copy link

@CryptoJones CryptoJones replied Mar 5, 2012

When you commit in master, the terrorists win!

@oreoshake

This comment has been minimized.

Copy link
Contributor

@oreoshake oreoshake replied Mar 5, 2012

use https://github.com/presidentbeef/brakeman, it finds mass assignment vulnerabilities pretty darn well

@mzeena

This comment has been minimized.

Copy link

@mzeena mzeena replied Mar 5, 2012

Bravo!

@koopa

This comment has been minimized.

Copy link

@koopa koopa replied Mar 5, 2012

good job mate :)
you did the right thing in my opinion. no harm done but great way to get attention for a critical issue

@tinogomes

This comment has been minimized.

Copy link
Contributor

@tinogomes tinogomes replied Mar 5, 2012

@oreoshake awesome tool +1

@Petah

This comment has been minimized.

Copy link

@Petah Petah replied Mar 6, 2012

Oh no you didnt

@pearcec

This comment has been minimized.

Copy link

@pearcec pearcec replied Mar 6, 2012

@Petah what were you thinking?

@stevenseeley

This comment has been minimized.

Copy link

@stevenseeley stevenseeley replied Mar 6, 2012

LOL

@kirkbushell

This comment has been minimized.

Copy link

@kirkbushell kirkbushell replied Mar 6, 2012

What an interesting discussion. Point of the matter is - the guy pointed out a vulnerability, some people decided it should be ignored (being a security issue that's a pretty big problem), so he made it even more obvious to the entire community and some people are putting him down for it. Absolute joke.

@Ocramius

This comment has been minimized.

Copy link

@Ocramius Ocramius replied Mar 6, 2012

Wow, now really, how much will it take to have also a register_globals -like functionality? =)
Seriously rails? :|

@rishta

This comment has been minimized.

Copy link

@rishta rishta replied Mar 6, 2012

@Ocramius and @Others:
register_globals and magic_quotes are deprecated and have been removed in latest versions of PHP, so you don't shine and unless you're being vaguely sarcastic, you show you lack skill.

@Ocramius

This comment has been minimized.

Copy link

@Ocramius Ocramius replied Mar 6, 2012

@rishta you don't say? :D

@pwlin

This comment has been minimized.

Copy link

@pwlin pwlin replied Mar 6, 2012

@rishta
Your comment lacks a certain level of understanding the joke.
Of course they are deprecated, because PHP - by design - is no more vulnerable to this sort of attacks. That was the whole point.
By not fixing these holes in a default installation, RoR now scores even lower than PHP of 5 years ago.

@jberger

This comment has been minimized.

Copy link

@jberger jberger replied Mar 6, 2012

@github, pretty please is there some way to turn off notifications from this thread without turning off all commit comment notifications?

@mishak87

This comment has been minimized.

Copy link

@mishak87 mishak87 replied Mar 6, 2012

If PHP code is producing errors with register_globals on you are terrible terrible programmer. If you are using magic_quotes you are simply stupid.

@warmwaffles

This comment has been minimized.

Copy link

@warmwaffles warmwaffles replied Mar 6, 2012

If PHP code is producing errors with register_globals on you are terrible terrible programmer. If you are using magic_quotes you are simply stupid.

But I like magic! David Blaine is soo cool

@ixti

This comment has been minimized.

Copy link
Contributor

@ixti ixti replied Mar 6, 2012

@jberger I use Firebug: $('.del a').click() on notification page to get rid of approx 10 messages per hour from this thread :))

@imlcl

This comment has been minimized.

Copy link

@imlcl imlcl replied Mar 7, 2012

wow

@dreamr

This comment has been minimized.

Copy link

@dreamr dreamr replied Mar 7, 2012

Welcome to Rails :) If you aren't using attr_accessible Santa kills 3 kittens for every vulnerable model.

@believe3301

This comment has been minimized.

Copy link

@believe3301 believe3301 replied Mar 8, 2012

wow

@Mithgol

This comment has been minimized.

Copy link

@Mithgol Mithgol replied Mar 8, 2012

@dreamr

Santa kills 3 kittens for every vulnerable model

In this case there was a dead octokitten.

@darth10

This comment has been minimized.

Copy link

@darth10 darth10 replied Mar 8, 2012

holy crap

@MechanisM

This comment has been minimized.

Copy link

@MechanisM MechanisM replied Mar 8, 2012

@kevinpostal

This comment has been minimized.

Copy link

@kevinpostal kevinpostal replied Mar 8, 2012

Pagination for the win..

@homakov

This comment has been minimized.

Copy link
Contributor Author

@homakov homakov replied Mar 8, 2012

@larzconwell
1 there is 'mark all as read' button on notif. tab
2 Why you think clearing messages should help. I am 100% sure they have table for participating users and you will be there FOR EVERS

@kelliott

This comment has been minimized.

Copy link

@kelliott kelliott replied Mar 8, 2012

Damnit, can't I go one day without having to see Michael Jackson?

@wilmoore

This comment has been minimized.

Copy link

@wilmoore wilmoore replied Mar 9, 2012

+rails +security = "none found"

@brodock

This comment has been minimized.

Copy link

@brodock brodock replied Mar 10, 2012

Epic commit is epic!

@daliborfilus

This comment has been minimized.

Copy link

@daliborfilus daliborfilus replied Mar 10, 2012

Why I still get notifications about this thread when I unsubscribed few days ago and according to the bottom of this page they are properply off? :/

@ajukraine

This comment has been minimized.

Copy link

@ajukraine ajukraine replied Mar 10, 2012

Рейлз розробник: секюріті? нє, не слихал!

(ukrainian)

@Mithgol

This comment has been minimized.

Copy link

@Mithgol Mithgol replied Mar 11, 2012

@noice

Why I still get notifications about this thread when I unsubscribed few days ago and according to the bottom of this page they are properly off? :/

Check the «Comments after me on commits» setting in your Notification Center.

@daliborfilus

This comment has been minimized.

Copy link

@daliborfilus daliborfilus replied Mar 13, 2012

@Mithgol thanks!

@jfahrenkrug

This comment has been minimized.

Copy link

@jfahrenkrug jfahrenkrug replied Mar 14, 2012

Wow, all these animated gifs make me feel like I'm on a 1996 Geocities page.

@Ocramius

This comment has been minimized.

Copy link

@Ocramius Ocramius replied Mar 14, 2012

@jfahrenkrug that's exactly what they're meant for... We're commenting on 1996's web applications' security issues :D

@rusllonrails

This comment has been minimized.

Copy link

@rusllonrails rusllonrails replied Mar 24, 2012

Хомяков Ты крут )

@chucai

This comment has been minimized.

Copy link

@chucai chucai replied Apr 6, 2012

有意思

@arbing

This comment has been minimized.

Copy link

@arbing arbing replied May 23, 2012

好欢乐呀

@odiszapc

This comment has been minimized.

Copy link

@odiszapc odiszapc replied Jun 11, 2012

Egor Letov live!

@hinagiku

This comment has been minimized.

Copy link

@hinagiku hinagiku replied Apr 18, 2013

万火留= =

@collaroid

This comment has been minimized.

Copy link

@collaroid collaroid replied Oct 22, 2013

已火留。。。

@hutusi

This comment has been minimized.

Copy link

@hutusi hutusi replied Jun 5, 2014

😷

@dandv

This comment has been minimized.

Copy link

@dandv dandv replied Nov 19, 2014

What if someone introduced very hard to detect vulnerabilties in popular software packages and libraries by altering commits long ago in the history of the projects?

We'd never know.

What if this has already happened?

@seuros

This comment has been minimized.

Copy link
Member

@seuros seuros replied Nov 19, 2014

Git is not centralized, everybody will notice that once he/she try to push to the repo since the SHA will not match.

@kirushyk

This comment has been minimized.

Copy link

@kirushyk kirushyk replied Jun 25, 2015

:-)

@paralin

This comment has been minimized.

Copy link

@paralin paralin replied Jul 7, 2015

@dandv Man, I'm seeing you everywhere.

@seuros is right, though. You can't pull from a repository with altered commit history without huge flames and explosions.

@bsh314

This comment has been minimized.

Copy link

@bsh314 bsh314 replied Dec 14, 2015

Well, Egor deserves a cookie. Give it to him! Medium

@egeersoz

This comment has been minimized.

Copy link

@egeersoz egeersoz replied Dec 15, 2015

Egor for president!!!

@mozillo

This comment has been minimized.

Copy link

@mozillo mozillo replied Feb 24, 2016

vulnerability

@sebie

This comment has been minimized.

Copy link

@sebie sebie replied Apr 29, 2016

Over four years now.. 😃

@YasserGersy

This comment has been minimized.

Copy link

@YasserGersy YasserGersy replied Oct 25, 2016

💃

@samrocketman

This comment has been minimized.

Copy link

@samrocketman samrocketman replied Jan 14, 2017

2017, comment for every year so far.

@geluso

This comment has been minimized.

Copy link

@geluso geluso replied Jan 2, 2018

2018

@aveao

This comment has been minimized.

Copy link

@aveao aveao replied Feb 26, 2019

2019, and no, I'm not sorry for sending a notification to thousands of people about this.

@PrincessOfEvil

This comment has been minimized.

Copy link

@PrincessOfEvil PrincessOfEvil replied Jan 1, 2020

  1. Sorry not sorry.
Please sign in to comment.
You can’t perform that action at this time.