Simon Willison’s Weblog

Items tagged rails

Filters: rails ×


DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming. # 23rd August 2008, 11:11 am

Ruby’s Vulnerability Handling Debacle. The critical Ruby vulnerabilities are over a week old now but there’s still no good official patch (the security patches cause segfaults in Rails, leaving the community reliant on unofficial patches from third parties). Max Caceres has three takeaway lessons, the most important of which is to always keep a “last-known-good” branch to apply critical patches to. # 2nd July 2008, 10:39 am

Twitter, or Architecture Will Not Save You. Kellan is not an armchair architect. He also doesn’t mention Rails once. Well worth reading. # 29th May 2008, 1:16 am

On-board vs. Off-board Comet. Useful distinction. On-board comet runs on the same server as the rest of your application; Off-board comet is served from a separate server (generally a subdomain) and a separate stack. If you want to stick with PHP, Rails or Django for the rest of your site off-board comet looks like the way to go. # 22nd May 2008, 5:02 pm

Multi-Inflection-Point Alert. Dammit, Tim, stop giving away our competitive advantages! # 26th April 2008, 6:48 pm

What’s New in Edge Rails: Easier Timezones (via) Time zones can be a nightmare to get right—if this works well it’s going to make a lot of people’s lives a whole bunch easier. # 2nd April 2008, 3:39 pm

Is your Rails app XSS safe? SafeErb is an interesting take on auto-escaping for Rails: it throws an exception if you try to render a string that hasn’t been untainted yet. # 10th January 2008, 6:46 pm

ErlyWeb vs. Ruby on Rails EC2 Performance Showdown. ErlyWeb’s peak response rate beats Rails by 47x, albeit with a hugely simplified benchmark. More interesting than the results is the idea of using EC2 for benchmarking on identical simulated hardware. # 10th December 2007, 3:27 pm

Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes. # 1st December 2007, 8:34 pm

BBC Radio Labs: Perl on Rails. BBC engineered built their own Rails clone in Perl to fit in with the BBC’s engineering infrastructure—it’s already running the new programmes guide. # 1st December 2007, 1 am

Two Weeks With Django. A Rails developer tries Django but ends up switching back to Rails. I think we could definitely take some steps towards making the initial user experience a bit smoother—currently you have to decide things like how you’ll serve static files and where you’ll keep your templates. Once you’ve got that lot set up it’s mostly plain sailing but it does mean there’s a bit of a bump in the learning curve. # 15th October 2007, 9:51 pm

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON. # 9th October 2007, 12:23 pm

Rails 1.2.4: Maintenance release. “Session fixation attacks are mitigated by removing support for URL-based sessions”—I’ve always hated URL-based sessions; I’d be interested to hear if their removal from Rails causes legitimate problems for anyone. # 5th October 2007, 11:42 pm

identity-matcher. Dopplr’s social network importing code (for Gmail, Twitter, Facebook and sites supporting Microformats), implemented as a Rails ActiveRecord plugin. # 4th October 2007, 2:53 pm

7 reasons I switched back to PHP after 2 years on Rails. After two years working on a Rails rewrite of CD Baby, Derek Sivers scrapped it and instead rewrote the PHP version using Rails-inspired design principles. Derek would still use Rails for a greenfield project though. # 23rd September 2007, 8:49 am

Bust A Name. Smart Ajax powered domain search; you give it some words, it shows you available combinations. It’s still almost impossible to find something that doesn’t suck though. # 20th August 2007, 3:40 pm

Scale rails from one box to three, four and five. Excellent, concise run-down of what it takes to scale a web application. Most of the advice is easily portable to other frameworks. # 30th July 2007, 1:40 pm

Disambiguated URLs with Ruby on Rails. Using before_filter to remove trailing slashes and a few lines of lighttpd configuration to kill the www. # 24th July 2007, 3:18 pm

One App, One User Account and Multiple OpenIDs. Dr Nic on allowing many OpenIDs to be associated with a single account. # 22nd July 2007, 9:42 pm

Just what web server should be sitting in front of my Rails application? Includes some interesting notes about Varnish, PHK’s high performance, highly configurable front-end caching server (essentially a much more modern version of Squid). # 17th July 2007, 1:29 pm

SELECT * FROM everything, or why databases are awesome. I’m beginning to think that for scalable applications the thinner your ORM is the better—if you even use one at all. # 22nd June 2007, 12:40 am

In the big picture, Twitter did exactly the right thing. They had a good idea and they buckled down and focused on delivering something as cool as possible as fast as possible, and it’s really hard, in early 2007, to beat Rails for that. When all of a sudden there were a few tens of thousands of people using it, then they went to work on the scaling.

Tim Bray # 14th April 2007, 9:13 am

Rails and Scaling with Multiple Databases. Ryan Tomayko explains how his team spreads a high traffic Rails application across five separate PostgreSQL databases by giving each client their own schema—similar to how WordPress MU scales. # 14th April 2007, 2:32 am

None of these scaling approaches are as fun and easy as developing for Rails. All the convenience methods and syntactical sugar that makes Rails such a pleasure for coders ends up being absolutely punishing, performance-wise.

Alex Payne, Twitter # 12th April 2007, 2:51 pm

XSS. Sanitising HTML is an extremely hard problem. The sanitize helper that ships with Rails is completely broken; Jacques Distler provides a better alternative. # 12th March 2007, 12:34 am

Ficlets (via) AOL’s first application to launch on Rails, and their first application to accept OpenIDs as well as AOL screen names. # 10th March 2007, 5:41 pm

The No-Shit Guide To Supporting OpenID In Your Applications. Fantastically useful: Dan Webb digs through the API documentation so you don’t have to. The example code is for Rails but the PHP and Python libraries work in much the same way. # 27th February 2007, 1:56 am

OpenID makes web identities real and appealing. DHH has caught the OpenID bug. Expect to see a flurry of activity around OpenID in the Rails community over the next few weeks. # 26th February 2007, 10:31 am

Rails 1.2.1 Impression. I hadn’t seen assert_select before, which lets you unit test generated HTML using CSS selectors; a really neat idea. # 15th February 2007, 9:14 am

A brief update with some numbers for hardware load-balanced mongrels. 4000 requests/second on 48 mongrels behind a hardware load balancer. # 5th February 2007, 12:38 am