Skip to content

3012 #5239

Closed
homakov opened this Issue Mar 2, 2012 · 47 comments
@homakov
homakov commented Mar 2, 2012
Hey. Where is a suicide booth?

from 3012 with love

You should check it ... #5228 :trollface:
[CONTENT IS FOR SALE EITHER]

@drogus
Ruby on Rails member
drogus commented Mar 2, 2012

Good one ;)

@drogus drogus closed this Mar 2, 2012
@kennyj
kennyj commented Mar 2, 2012

I'm closing it (again).
@drogus was close it, but it still open.
github bug?

@kennyj kennyj closed this Mar 2, 2012
@homakov
homakov commented Mar 2, 2012

geez. github y u SO open?

(if I append state=open it turns into open. w/o any 'activity' in the bottom. You are surely ones of those who should start using attr_accessible right away :) sorry for caused inconvinience)

@drogus dat was just naughty testing. please close ticket. (I can do it by myself though :))

I am going to provide pull request shortly. IMHO rails should get configuration option like

active_record.blacklist_attributes = %w{created_at updated_at}

and in typical rails project during development process it should turn into

active_record.blacklist_attributes = %w{created_at updated_at state user_id role_id *_id rating}

Github, sorry for exploring your small bugs, I'm just overviewing security issues of rails. Be safe

@homakov
homakov commented Mar 2, 2012

ALL UR ISSUES ARE BELONG TO US
#5238

@sikachu
Ruby on Rails member
sikachu commented Mar 2, 2012

Please report this bug to GitHub here: https://github.com/contact. I'm pretty sure that they're not checking Rails issue for their site's bug. Thanks.

@jasdeepsingh

LOL! :) Bender from Future.... Makes my day! :) Please report the bugs to GitHub....

@benatkin
benatkin commented Mar 4, 2012

Still shows up at the top of Closed Issues.

@lenage
lenage commented Mar 5, 2012

Nice, opened this issue 1001 years

@hlxwell
hlxwell commented Mar 5, 2012

@ghost
ghost commented Mar 5, 2012

guy who made time travel possible: @homakov

@watson
watson commented Mar 5, 2012

Bender

@levhita
levhita commented Mar 5, 2012
  • Stands up and applause
@krolow
krolow commented Mar 5, 2012

:D

@henvic
henvic commented Mar 5, 2012

omg! rofl.

@thejh
thejh commented Mar 5, 2012

That was classy!

@lockie
lockie commented Mar 5, 2012

applause gif

@RenaKunisaki

Wow. Just wow. So it just blindly updates any fields specified by the user? Someone skipped security 101...

@wrzasa
wrzasa commented Mar 6, 2012

Bravo! ;-)

@lastknight

Kudos, m8.

@benatkin
benatkin commented Mar 6, 2012

like a bau5

@twksos
twksos commented Mar 7, 2012

顶起

@iambowen
iambowen commented Mar 7, 2012

碉堡了~, security problems should be treated seriously, sometimes you can't count everything on programmers. They are not all that smart to consider the security issue when busy with finishing stories.....

@levhita
levhita commented Mar 7, 2012

LOLS

@Dfred
Dfred commented Mar 7, 2012

too bad they don't acknowledge homakov proper behavior: report... no action? ... show it. White hat style.

@leonardodarioperna

respect

@ellisonleao

clap clap!

@steakknife

If this doesn't deserve a defcon uberbadge (or at least a speaker slot), I don't know what does.

@SnoFox
SnoFox commented Mar 7, 2012

I want to put some awesome picture or comment here to acknowledge this awesomeness, but I'm not clever enough. Still, awesome! :D

@ali
ali commented Mar 7, 2012

@SnoFox
SnoFox commented Mar 7, 2012

@ali - perfect.

@Aelthien
Aelthien commented Mar 7, 2012

Are there flying cars?

@dazuiba
dazuiba commented Mar 8, 2012

看来protected attributes还真不好设置啊. github都中招了.

@mseymour
mseymour commented Mar 9, 2012

This is awesome.

@Braunson

Wow..

@tkaw220
tkaw220 commented Mar 30, 2012

Great one.

@benatkin

Glad to see that the date is still intact. Way to be a good sport GitHub!

@mhr
mhr commented Apr 7, 2012

hahahaha

@pmq20
pmq20 commented Jun 24, 2012

love it

@jasonmp85 jasonmp85 referenced this issue in jashkenas/underscore Jul 27, 2012
Closed

Invert escape on templates #394

@nishanthan144

good example to be aware of attr_accessible

@guilhermesimoes

A year after this exploit (or is it a 1000 thousand years before? :smile: ) I still find this interesting and important. May it serve as a warning and a lesson to all developers.

Congratulations on your great year @homakov!

@benatkin
benatkin commented Mar 4, 2013

is github still on rails 2? or have they upgraded to rails 3?

@amacneil amacneil referenced this issue in laravel/framework Mar 24, 2013
Closed

Guard all attributes by default #665

@aditya-kapoor

Nyccc....:)

@homakov
homakov commented Jun 3, 2013

Title for sale, bros! It's gonna be there for next 999 years...

@killthekitten

OK, let's start placing bids. Mine will be $0.99/month

@briandiaz

Jajajajaja

@remoharsono

respect. another great year @homakov

@Xethron
Xethron commented Jun 19, 2014

Seems like the date got fixed.....

@arthurnn arthurnn locked and limited conversation to collaborators Jun 19, 2014
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Something went wrong with that request. Please try again.