3012

[homakov]

Hey. Where is a suicide booth?

from 3012 with love

You should check it ... #5228
[CONTENT IS FOR SALE EITHER]

[drogus]

Good one ;)

[kennyj]

I'm closing it (again).
@drogus was close it, but it still open.
github bug?

[homakov]

geez. github y u SO open?

(if I append state=open it turns into open. w/o any 'activity' in the bottom. You are surely ones of those who should start using attr_accessible right away :) sorry for caused inconvinience)

@drogus dat was just naughty testing. please close ticket. (I can do it by myself though :))

I am going to provide pull request shortly. IMHO rails should get configuration option like

active_record.blacklist_attributes = %w{created_at updated_at}

and in typical rails project during development process it should turn into

active_record.blacklist_attributes = %w{created_at updated_at state user_id role_id *_id rating}

Github, sorry for exploring your small bugs, I'm just overviewing security issues of rails. Be safe

[homakov]

ALL UR ISSUES ARE BELONG TO US
#5238

[sikachu]

Please report this bug to GitHub here: https://github.com/contact. I'm pretty sure that they're not checking Rails issue for their site's bug. Thanks.

[jasdeepsingh]

LOL! :) Bender from Future.... Makes my day! :) Please report the bugs to GitHub....

[benatkin]

Still shows up at the top of Closed Issues.

[lenage]

Nice, opened this issue 1001 years

[hlxwell]

踩

[ghost]

guy who made time travel possible: @homakov

[watson]

[levhita]

• Stands up and applause

[krolow]

:D

[henvic]

omg! rofl.

[thejh]

That was classy!

[lockie]

[RenaKunisaki]

Wow. Just wow. So it just blindly updates any fields specified by the user? Someone skipped security 101...

[wrzasa]

Bravo! ;-)

[lastknight]

Kudos, m8.

[benatkin]

like a bau5

[twksos]

顶起

[iambowen]

碉堡了～, security problems should be treated seriously, sometimes you can't count everything on programmers. They are not all that smart to consider the security issue when busy with finishing stories.....

[levhita]

[Dfred]

too bad they don't acknowledge homakov proper behavior: report... no action? ... show it. White hat style.

[leonardodarioperna]

respect

[ellisonleao]

clap clap!

[steakknife]

If this doesn't deserve a defcon uberbadge (or at least a speaker slot), I don't know what does.

[SnoFox]

I want to put some awesome picture or comment here to acknowledge this awesomeness, but I'm not clever enough. Still, awesome! :D

[ali]

[SnoFox]

@ali - perfect.

[Aelthien]

Are there flying cars?

[dazuiba]

看来protected attributes还真不好设置啊. github都中招了.

[mseymour]

This is awesome.

[Braunson]

Wow..

[tkaw220]

Great one.

[benatkin]

Glad to see that the date is still intact. Way to be a good sport GitHub!

[mhr]

hahahaha

[pmq20]

love it

[benatkin]

[nishanthan144]

good example to be aware of attr_accessible

[guilhermesimoes]

A year after this exploit (or is it a 1000 thousand years before? ) I still find this interesting and important. May it serve as a warning and a lesson to all developers.

Congratulations on your great year @homakov!

[benatkin]

is github still on rails 2? or have they upgraded to rails 3?

[aditya-kapoor]

Nyccc....:)

[homakov]

Title for sale, bros! It's gonna be there for next 999 years...

[killthekitten]

OK, let's start placing bids. Mine will be $0.99/month

[briandiaz]

Jajajajaja

[remoharsono]

respect. another great year @homakov