Skip to content
This repository
Browse code

add humans.txt

  • Loading branch information...
commit ceb1dcc3dbd4f3e5d42f46bb5746c87c1fcf47ff 1 parent fc5c41e
Paul Campbell authored May 08, 2012
9  railties/lib/rails/generators/rails/app/templates/public/humans.txt.tt
... ...
@@ -0,0 +1,9 @@
  1
+# See more about this file at: http://humanstxt.org/
  2
+# For format suggestions, see: http://humanstxt.org/Standard.html
  3
+/* TEAM */
  4
+  <%= ENV['USER'].titlecase %>
  5
+
  6
+/* APP */
  7
+  Name: <%= app_const_base %>
  8
+  Date Created: <%= Date.today.strftime("%B %d, %Y") %>
  9
+  Software: Ruby on Rails

8 notes on commit ceb1dcc

Grant Hutchins
nertzy commented on ceb1dcc May 10, 2012

I appreciate the spirit, although I worry that this can be used to detect Ruby on Rails applications in order to exploit security holes quickly.

The date created might give a good proxy for what version the site is running if it hasn't been upgraded yet. The app_const_base can tell you information about how the code is structured if you are able to figure out some hole to eval code on the server side. And using the ENV['USER'] could give hints as to what usernames are good to guess for admin accounts.

Xavier Noria
Owner
fxn commented on ceb1dcc May 11, 2012

/cc grandpa @NZKoz

Oscar Del Ben

I'm :-1: on this for the reasons outlined by @nertzy.

Sasha Koss

@nertzy @oscardelben

I know more proven ways to detect ROR usage. So let's rename jQuery.rails to jQuery.php?

Yaroslav Markin

Kinda :-1: because of ENV[USER] and Date Created. Is there any way we can just add an empty/sample humans.txt (same as with robots.txt)?..

Christian Hjalmarsson
jnx commented on ceb1dcc May 14, 2012

There's both good and bad things about this, although I like this one.

Oscar Del Ben

@kossnocorp i'm not particularly worried about detecting rails itself, there's nothing to hide there. II don'y like the date and user attributes personally. This is how default credits look in XCode projects:

Engineering:
    Some people

Human Interface Design:
    Some other people

Testing:
    Hopefully not nobody

Documentation:
    Whoever

With special thanks to:
    Mom

They're vague and it's a good thing.

Henrik Nyh

I like that there is a default file to encourage use and so that requests for it (by e.g. browser extensions) don't 404.

But I agree that exposing the username is a bad thing, if the user isn't fully aware that this is happening. It reminds me of when the IRC client Colloquy included the full user name in your public info, but only had that info in the folded-up advanced settings.

Not sure app name or date are things to expose without making it clear, either.

To play the devil's advocate, I suppose seeing this file in the public directory should alert you that it will be exposed, but I would prefer a higher level of privacy as the default.

Please sign in to comment.
Something went wrong with that request. Please try again.