Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


3012 #5239

homakov opened this Issue · 48 comments

39 participants

Egor Homakov Piotr Sarnacki Toshinori Kajihara Prem Sichanugrist Jasdeep Singh Benjamin Atkin Yuan He Michael He Thomas Watson Steen Argel Arias Vinícius Krolow Henrique Vicente Jann Horn Andrew Kravchuk Rena Kunisaki wrzasa The Fool s.r.l. Guangcheng Wei bowen frederic Delaunay NOT Leonardo Ellison Leão Barry Allard Josh Johnson and others
Egor Homakov
Hey. Where is a suicide booth?

from 3012 with love

You should check it ... #5228 :trollface:

Piotr Sarnacki

Good one ;)

Piotr Sarnacki drogus closed this
Toshinori Kajihara

I'm closing it (again).
@drogus was close it, but it still open.
github bug?

Toshinori Kajihara kennyj closed this
Egor Homakov

geez. github y u SO open?

(if I append state=open it turns into open. w/o any 'activity' in the bottom. You are surely ones of those who should start using attr_accessible right away :) sorry for caused inconvinience)

@drogus dat was just naughty testing. please close ticket. (I can do it by myself though :))

I am going to provide pull request shortly. IMHO rails should get configuration option like

active_record.blacklist_attributes = %w{created_at updated_at}

and in typical rails project during development process it should turn into

active_record.blacklist_attributes = %w{created_at updated_at state user_id role_id *_id rating}

Github, sorry for exploring your small bugs, I'm just overviewing security issues of rails. Be safe

Egor Homakov


Prem Sichanugrist

Please report this bug to GitHub here: I'm pretty sure that they're not checking Rails issue for their site's bug. Thanks.

Jasdeep Singh

LOL! :) Bender from Future.... Makes my day! :) Please report the bugs to GitHub....

Benjamin Atkin

Still shows up at the top of Closed Issues.

Yuan He

Nice, opened this issue 1001 years

Michael He

Deleted user

guy who made time travel possible: @homakov

Argel Arias
  • Stands up and applause
Vinícius Krolow


Henrique Vicente

omg! rofl.

Jann Horn

That was classy!

Rena Kunisaki

Wow. Just wow. So it just blindly updates any fields specified by the user? Someone skipped security 101...


Bravo! ;-)

The Fool s.r.l.

Kudos, m8.

Benjamin Atkin

like a bau5

Guangcheng Wei



碉堡了~, security problems should be treated seriously, sometimes you can't count everything on programmers. They are not all that smart to consider the security issue when busy with finishing stories.....

frederic Delaunay

too bad they don't acknowledge homakov proper behavior: report... no action? ... show it. White hat style.

Ellison Leão

clap clap!

Barry Allard

If this doesn't deserve a defcon uberbadge (or at least a speaker slot), I don't know what does.

Josh Johnson

I want to put some awesome picture or comment here to acknowledge this awesomeness, but I'm not clever enough. Still, awesome! :D

Ali Ukani
ali commented

Josh Johnson

@ali - perfect.


Are there flying cars?

Sam Zhang

看来protected attributes还真不好设置啊. github都中招了.

Mark Seymour

This is awesome.

Braunson Yager


Edwin Aw

Great one.

Benjamin Atkin

Glad to see that the date is still intact. Way to be a good sport GitHub!

mhr commented



love it

Jason Petersen jasonmp85 referenced this issue in jashkenas/underscore

Invert escape on templates #394

Nishanthan Krishnaswamy

good example to be aware of attr_accessible

Guilherme Simões

A year after this exploit (or is it a 1000 thousand years before? :smile: ) I still find this interesting and important. May it serve as a warning and a lesson to all developers.

Congratulations on your great year @homakov!

Benjamin Atkin

is github still on rails 2? or have they upgraded to rails 3?

Adrian Macneil adrianmacneil referenced this issue in laravel/framework

Guard all attributes by default #665

Aditya Kapoor


Egor Homakov

Title for sale, bros! It's gonna be there for next 999 years...

Nikolay Shebanov

OK, let's start placing bids. Mine will be $0.99/month

Brian Díaz


Remo Harsono

respect. another great year @homakov

Bernhard Breytenbach

Seems like the date got fixed.....

Arthur Nogueira Neves arthurnn locked and limited conversation to collaborators
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Something went wrong with that request. Please try again.