Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3012 #5239

Closed
homakov opened this issue Mar 2, 2012 · 47 comments
Closed

3012 #5239

homakov opened this issue Mar 2, 2012 · 47 comments

Comments

@homakov
Copy link
Contributor

@homakov homakov commented Mar 2, 2012

Hey. Where is a suicide booth?

from 3012 with love

You should check it ... #5228 :trollface:
[CONTENT IS FOR SALE EITHER]

@drogus
Copy link
Member

@drogus drogus commented Mar 2, 2012

Good one ;)

@drogus drogus closed this Mar 2, 2012
@kennyj
Copy link
Contributor

@kennyj kennyj commented Mar 2, 2012

I'm closing it (again).
@drogus was close it, but it still open.
github bug?

@kennyj kennyj closed this Mar 2, 2012
@homakov
Copy link
Contributor Author

@homakov homakov commented Mar 2, 2012

geez. github y u SO open?

(if I append state=open it turns into open. w/o any 'activity' in the bottom. You are surely ones of those who should start using attr_accessible right away :) sorry for caused inconvinience)

@drogus dat was just naughty testing. please close ticket. (I can do it by myself though :))

I am going to provide pull request shortly. IMHO rails should get configuration option like

active_record.blacklist_attributes = %w{created_at updated_at}

and in typical rails project during development process it should turn into

active_record.blacklist_attributes = %w{created_at updated_at state user_id role_id *_id rating}

Github, sorry for exploring your small bugs, I'm just overviewing security issues of rails. Be safe

@homakov
Copy link
Contributor Author

@homakov homakov commented Mar 2, 2012

ALL UR ISSUES ARE BELONG TO US
#5238

@sikachu
Copy link
Member

@sikachu sikachu commented Mar 2, 2012

Please report this bug to GitHub here: https://github.com/contact. I'm pretty sure that they're not checking Rails issue for their site's bug. Thanks.

@jasdeepsingh
Copy link

@jasdeepsingh jasdeepsingh commented Mar 4, 2012

LOL! :) Bender from Future.... Makes my day! :) Please report the bugs to GitHub....

@benatkin
Copy link

@benatkin benatkin commented Mar 4, 2012

Still shows up at the top of Closed Issues.

@lenage
Copy link

@lenage lenage commented Mar 5, 2012

Nice, opened this issue 1001 years

@hlxwell
Copy link

@hlxwell hlxwell commented Mar 5, 2012

@ghost
Copy link

@ghost ghost commented Mar 5, 2012

guy who made time travel possible: @homakov

@watson
Copy link

@watson watson commented Mar 5, 2012

Bender

@levhita
Copy link

@levhita levhita commented Mar 5, 2012

  • Stands up and applause
@krolow
Copy link

@krolow krolow commented Mar 5, 2012

:D

@henvic
Copy link

@henvic henvic commented Mar 5, 2012

omg! rofl.

@thejh
Copy link

@thejh thejh commented Mar 5, 2012

That was classy!

@lockie
Copy link

@lockie lockie commented Mar 5, 2012

applause gif

@RenaKunisaki
Copy link

@RenaKunisaki RenaKunisaki commented Mar 6, 2012

Wow. Just wow. So it just blindly updates any fields specified by the user? Someone skipped security 101...

@wrzasa
Copy link

@wrzasa wrzasa commented Mar 6, 2012

Bravo! ;-)

@lastknight
Copy link

@lastknight lastknight commented Mar 6, 2012

Kudos, m8.

@benatkin
Copy link

@benatkin benatkin commented Mar 6, 2012

like a bau5

@twksos
Copy link

@twksos twksos commented Mar 7, 2012

顶起

@iambowen
Copy link

@iambowen iambowen commented Mar 7, 2012

碉堡了~, security problems should be treated seriously, sometimes you can't count everything on programmers. They are not all that smart to consider the security issue when busy with finishing stories.....

@levhita
Copy link

@levhita levhita commented Mar 7, 2012

LOLS

@Dfred
Copy link

@Dfred Dfred commented Mar 7, 2012

too bad they don't acknowledge homakov proper behavior: report... no action? ... show it. White hat style.

@ghost
Copy link

@ghost ghost commented Mar 7, 2012

respect

@ellisonleao
Copy link

@ellisonleao ellisonleao commented Mar 7, 2012

clap clap!

@steakknife
Copy link
Contributor

@steakknife steakknife commented Mar 7, 2012

If this doesn't deserve a defcon uberbadge (or at least a speaker slot), I don't know what does.

@SnoFox
Copy link

@SnoFox SnoFox commented Mar 7, 2012

I want to put some awesome picture or comment here to acknowledge this awesomeness, but I'm not clever enough. Still, awesome! :D

@ali
Copy link

@ali ali commented Mar 7, 2012

@SnoFox
Copy link

@SnoFox SnoFox commented Mar 7, 2012

@ali - perfect.

@Aelthien
Copy link

@Aelthien Aelthien commented Mar 7, 2012

Are there flying cars?

@dazuiba
Copy link

@dazuiba dazuiba commented Mar 8, 2012

看来protected attributes还真不好设置啊. github都中招了.

@mseymour
Copy link

@mseymour mseymour commented Mar 9, 2012

This is awesome.

@Braunson
Copy link

@Braunson Braunson commented Mar 30, 2012

Wow..

@tkaw220
Copy link

@tkaw220 tkaw220 commented Mar 30, 2012

Great one.

@benatkin
Copy link

@benatkin benatkin commented Mar 30, 2012

Glad to see that the date is still intact. Way to be a good sport GitHub!

@mhr
Copy link

@mhr mhr commented Apr 7, 2012

hahahaha

@pmq20
Copy link

@pmq20 pmq20 commented Jun 24, 2012

love it

@benatkin
Copy link

@benatkin benatkin commented Jun 24, 2012

❤️

@nishanthan144
Copy link

@nishanthan144 nishanthan144 commented Jan 10, 2013

good example to be aware of attr_accessible

@guilhermesimoes
Copy link

@guilhermesimoes guilhermesimoes commented Mar 4, 2013

A year after this exploit (or is it a 1000 thousand years before? 😄 ) I still find this interesting and important. May it serve as a warning and a lesson to all developers.

Congratulations on your great year @homakov!

@benatkin
Copy link

@benatkin benatkin commented Mar 4, 2013

is github still on rails 2? or have they upgraded to rails 3?

@aditya-kapoor
Copy link
Contributor

@aditya-kapoor aditya-kapoor commented Jun 3, 2013

Nyccc....:)

@homakov
Copy link
Contributor Author

@homakov homakov commented Jun 3, 2013

Title for sale, bros! It's gonna be there for next 999 years...

@killthekitten
Copy link
Contributor

@killthekitten killthekitten commented Jun 20, 2013

OK, let's start placing bids. Mine will be $0.99/month

@briandiaz
Copy link

@briandiaz briandiaz commented Oct 1, 2013

Jajajajaja

@remoharsono
Copy link

@remoharsono remoharsono commented Nov 9, 2013

respect. another great year @homakov

@Xethron
Copy link

@Xethron Xethron commented Jun 19, 2014

Seems like the date got fixed.....

@rails rails locked and limited conversation to collaborators Jun 19, 2014
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.