3012 #5239

Closed
homakov opened this Issue Mar 2, 2012 · 47 comments

Projects

None yet
@homakov
Hey. Where is a suicide booth?

from 3012 with love

You should check it ... #5228 :trollface:
[CONTENT IS FOR SALE EITHER]

@drogus
Ruby on Rails member

Good one ;)

@drogus drogus closed this Mar 2, 2012
@kennyj

I'm closing it (again).
@drogus was close it, but it still open.
github bug?

@kennyj kennyj closed this Mar 2, 2012
@homakov

geez. github y u SO open?

(if I append state=open it turns into open. w/o any 'activity' in the bottom. You are surely ones of those who should start using attr_accessible right away :) sorry for caused inconvinience)

@drogus dat was just naughty testing. please close ticket. (I can do it by myself though :))

I am going to provide pull request shortly. IMHO rails should get configuration option like

active_record.blacklist_attributes = %w{created_at updated_at}

and in typical rails project during development process it should turn into

active_record.blacklist_attributes = %w{created_at updated_at state user_id role_id *_id rating}

Github, sorry for exploring your small bugs, I'm just overviewing security issues of rails. Be safe

@homakov

ALL UR ISSUES ARE BELONG TO US
#5238

@sikachu
Ruby on Rails member

Please report this bug to GitHub here: https://github.com/contact. I'm pretty sure that they're not checking Rails issue for their site's bug. Thanks.

@jasdeepsingh

LOL! :) Bender from Future.... Makes my day! :) Please report the bugs to GitHub....

@benatkin

Still shows up at the top of Closed Issues.

@lenage

Nice, opened this issue 1001 years

@hlxwell

@ghost

guy who made time travel possible: @homakov

@levhita
  • Stands up and applause
@krolow

:D

@henvic

omg! rofl.

@thejh

That was classy!

@RenaKunisaki

Wow. Just wow. So it just blindly updates any fields specified by the user? Someone skipped security 101...

@wrzasa

Bravo! ;-)

@lastknight

Kudos, m8.

@benatkin

like a bau5

@twksos

顶起

@iambowen

碉堡了~, security problems should be treated seriously, sometimes you can't count everything on programmers. They are not all that smart to consider the security issue when busy with finishing stories.....

@Dfred

too bad they don't acknowledge homakov proper behavior: report... no action? ... show it. White hat style.

@ghost

respect

@ellisonleao

clap clap!

@steakknife

If this doesn't deserve a defcon uberbadge (or at least a speaker slot), I don't know what does.

@SnoFox

I want to put some awesome picture or comment here to acknowledge this awesomeness, but I'm not clever enough. Still, awesome! :D

@ali
ali commented Mar 7, 2012

@SnoFox

@ali - perfect.

@Aelthien

Are there flying cars?

@dazuiba

看来protected attributes还真不好设置啊. github都中招了.

@mseymour

This is awesome.

@Braunson

Wow..

@tkaw220

Great one.

@benatkin

Glad to see that the date is still intact. Way to be a good sport GitHub!

@mhr
mhr commented Apr 7, 2012

hahahaha

@pmq20

love it

@benatkin

❤️

@jasonmp85 jasonmp85 referenced this issue in jashkenas/underscore Jul 27, 2012
Closed

Invert escape on templates #394

@nishanthan144

good example to be aware of attr_accessible

@guilhermesimoes

A year after this exploit (or is it a 1000 thousand years before? 😄 ) I still find this interesting and important. May it serve as a warning and a lesson to all developers.

Congratulations on your great year @homakov!

@benatkin

is github still on rails 2? or have they upgraded to rails 3?

@amacneil amacneil referenced this issue in laravel/framework Mar 24, 2013
Closed

Guard all attributes by default #665

@aditya-kapoor

Nyccc....:)

@homakov

Title for sale, bros! It's gonna be there for next 999 years...

@killthekitten

OK, let's start placing bids. Mine will be $0.99/month

@briandiaz

Jajajajaja

@remoharsono

respect. another great year @homakov

@Xethron

Seems like the date got fixed.....

@arthurnn arthurnn locked and limited conversation to collaborators Jun 19, 2014
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.