Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

add humans.txt

  • Loading branch information...
commit ceb1dcc3dbd4f3e5d42f46bb5746c87c1fcf47ff 1 parent fc5c41e
@paulca paulca authored
View
9 railties/lib/rails/generators/rails/app/templates/public/humans.txt.tt
@@ -0,0 +1,9 @@
+# See more about this file at: http://humanstxt.org/
+# For format suggestions, see: http://humanstxt.org/Standard.html
+/* TEAM */
+ <%= ENV['USER'].titlecase %>
+
+/* APP */
+ Name: <%= app_const_base %>
+ Date Created: <%= Date.today.strftime("%B %d, %Y") %>
+ Software: Ruby on Rails

8 comments on commit ceb1dcc

@nertzy

I appreciate the spirit, although I worry that this can be used to detect Ruby on Rails applications in order to exploit security holes quickly.

The date created might give a good proxy for what version the site is running if it hasn't been upgraded yet. The app_const_base can tell you information about how the code is structured if you are able to figure out some hole to eval code on the server side. And using the ENV['USER'] could give hints as to what usernames are good to guess for admin accounts.

@fxn
Owner

/cc grandpa @NZKoz

@oscardelben

I'm :-1: on this for the reasons outlined by @nertzy.

@kossnocorp

@nertzy @oscardelben

I know more proven ways to detect ROR usage. So let's rename jQuery.rails to jQuery.php?

@yaroslav

Kinda :-1: because of ENV[USER] and Date Created. Is there any way we can just add an empty/sample humans.txt (same as with robots.txt)?..

@jnx

There's both good and bad things about this, although I like this one.

@oscardelben

@kossnocorp i'm not particularly worried about detecting rails itself, there's nothing to hide there. II don'y like the date and user attributes personally. This is how default credits look in XCode projects:

Engineering:
    Some people

Human Interface Design:
    Some other people

Testing:
    Hopefully not nobody

Documentation:
    Whoever

With special thanks to:
    Mom

They're vague and it's a good thing.

@henrik

I like that there is a default file to encourage use and so that requests for it (by e.g. browser extensions) don't 404.

But I agree that exposing the username is a bad thing, if the user isn't fully aware that this is happening. It reminds me of when the IRC client Colloquy included the full user name in your public info, but only had that info in the folded-up advanced settings.

Not sure app name or date are things to expose without making it clear, either.

To play the devil's advocate, I suppose seeing this file in the public directory should alert you that it will be exposed, but I would prefer a higher level of privacy as the default.

Please sign in to comment.
Something went wrong with that request. Please try again.