Rails "core team" fucks up big time

Posted on June 07, 2009 at 11:03 PM

Categories: tech, code, rails

Hey, if you have a rails app that uses the recently introduced authenticate_or_request_with_http_digest Rails 2.3 / http_authentication.rb, you've got a big fucking security hole. Anyone can log in if they provide a wrong username and no password, or a nil username & password.

Kind of terrible, right?

So Nate posts it on his blog after a week of trying to get the attention of the Rails security people, and they blame him in their security alert:

Due to communication difficulties and a mis-understanding between the reporter and the security team. This vulnerability has been publicly disclosed on several websites, users are advised to update their applications immediately. Steps are being taken to ensure that the security email is more reliable in the future. We regret the nature of this disclosure and will endeavor to ensure it doesn’t happen again in the future.

And they give him no credit. Most of the RCT idiosyncracies I can write off but don't fuck with security.

Browse Old Articles


Popular posts:

Subscribe to: