Simon Willison’s Weblog

Blogmarks tagged rails

Filters: Type: blogmark × rails ×


CSRF: Flash + 307 redirect = Game Over. Here’s the exploit that Django and Rails both just released fixes for. It’s actually a flaw in the Flash player. Flash isn’t meant to be able to make cross-domain HTTP requests with custom HTTP headers unless the crossdomain.xml file on the other domain allows them to, but it turns out a 307 redirect (like a 302, but allows POST data to be forwarded) confuses the Flash player in to not checking the crossdomain.xml on the host it is being redirect to. # 10th February 2011, 10:07 pm

Hookbox (via) For most web projects, I believe implementing any real-time comet features on a separate stack from the rest of the application makes sense—keep using Rails, Django or PHP for the bulk of the application logic, and offload any WebSocket or Comet requests to a separate stack built on top of something like Node.js, Twisted, EventMachine or Jetty. Hookbox is the best example of that philosophy I’ve yet seen—it’s a Comet server that makes WebHook requests back to your regular application stack to check if a user has permission to publish or subscribe to a given channel. “The key insight is that all application development with hookbox happens either in JavaScript or in the native language of the web application itself”. # 29th July 2010, 9:48 am

Node.js, redis, and resque (via) Paul Gross has been experimenting with Node.js proxies for allowing web applications to be upgraded without missing any requests. Here he places all incoming HTTP requests in a redis queue, then has his backend Rails servers consume requests from the queue and push the responses back on to a queue for Node to deliver. When the backend application is upgraded, requests remain in the queue and users see a few seconds of delay before their request is handled. It’s not production ready yet (POST requests aren’t handled, for example) but it’s a very interesting approach. # 28th February 2010, 11:02 pm

Play framework for Java. I’m genuinely impressed by this—it’s a full stack web framework for Java that actually does feel a lot like Django or Rails. Best feature: code changes are automatically detected and reloaded by the development web server, giving you the same save-and-refresh workflow you get in Django (no need to compile and redeploy to try out your latest changes). # 25th October 2009, 11:21 pm

How We Made GitHub Fast. Detailed overview of the new GitHub architecture. It’s a lot more complicated than I would have expected—lots of moving parts are involved in ensuring they can scale horizontally when they need to. Interesting components include nginx, Unicorn, Rails, DRBD, HAProxy, Redis, Erlang, memcached, SSH, git and a bunch of interesting new open source projects produced by the GitHub team such as BERT/Ernie and ProxyMachine. # 21st October 2009, 9:14 pm

nginx_http_push_module. More clever design with webhooks—here’s an nginx module that provides a comet endpoint URL which will hang until a back end process POSTs to another URL on the same server. This makes it much easier to build asynchronous comet apps using regular synchronous web frameworks such as Django, PHP and Rails. # 17th October 2009, 4:48 pm

XSS Protection by Default in Rails 3.0. Fantastic news—congratulations, Rails core team. # 8th October 2009, 4:35 pm

Ravelry. Tim Bray interviews Casey Forbes, the single engineer behind Ravelry, the knitting community that serves 10 million Rails requests a day using just seven physical servers, MySQL, Sphinx, memcached, nginx, haproxy, passenger and Tokyo Cabinet. # 3rd September 2009, 6:50 pm

cache-money. A “write-through caching library for ActiveRecord”, maintained by Nick Kallen from Twitter. Queries hit memcached first, and caches are automatically kept up-to-date when objects are created, updated and deleted. Only some queries are supported—joins and comparisons won’t hit the cache, for example. # 28th June 2009, 3:17 pm

whine flu, railsmalefail 2009. Danny quotes the smartest take on the CouchDB/pr0n controversy: “It’s about presenting women as ’the other,’ not ’us.’ It would have been just as offensive if all the women shown were domineering mothers in aprons, shaking their fingers and threatening with rolling pins.” # 29th April 2009, 11:39 am

Phusion Passenger for nginx. Passenger (aka mod_rails / mod_rack) enables easy deployment of Rails and Ruby apps under Apache... and the latest version adds support for nginx as well. It works as an HTTP proxy and process manager, spawning worker processes and forwarding HTTP requests to them via a request queue. It can also handle Python WSGI applications—anyone tried it out for that yet? # 20th April 2009, 4:53 am

Ruby on Rails 2.3 Release Notes. I’m impressed with how thoroughly Rails has embraced Rack (Ruby’s standardised web framework API, inspired by Python’s WSGI). # 15th March 2009, 1:22 pm

Building and Scaling a Startup on Rails: 12 Things We Learned the Hard Way. Lessons learned from Posterous. Some good advice in here, in particular “Memcache later: If you memcache first, you will never feel the pain and never learn how bad your database indexes and Rails queries are”. Also recommends using job queues for offline processing of anything that takes more than 200ms. # 23rd February 2009, 8:28 am

Infrastructure for Modern Web Sites. Leonard’s thoughts on what the next generation of web frameworks should aim to provide. # 29th January 2009, 1:36 pm

Merb gets merged into Rails 3! Huge news. Of particular interest is the new focus on “framework agnosticism”, whereby Rails will aim to play well with people wishing to use alternative ORMs, template mechanisms and so forth. Rails has previously suffered from a reputation for getting in your way if you deviate from its opinions. # 23rd December 2008, 8:32 pm

Response Splitting Risk. Important reminder that you should always ensure strings used in HTTP headers don’t contain newlines. # 19th October 2008, 11:58 pm

Is your Rails application safe? (via) update_attributes(params[:foo]) in ActiveRecord is an anti-pattern. # 22nd September 2008, 8:28 pm

DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming. # 23rd August 2008, 11:11 am

Ruby’s Vulnerability Handling Debacle. The critical Ruby vulnerabilities are over a week old now but there’s still no good official patch (the security patches cause segfaults in Rails, leaving the community reliant on unofficial patches from third parties). Max Caceres has three takeaway lessons, the most important of which is to always keep a “last-known-good” branch to apply critical patches to. # 2nd July 2008, 10:39 am

Twitter, or Architecture Will Not Save You. Kellan is not an armchair architect. He also doesn’t mention Rails once. Well worth reading. # 29th May 2008, 1:16 am

On-board vs. Off-board Comet. Useful distinction. On-board comet runs on the same server as the rest of your application; Off-board comet is served from a separate server (generally a subdomain) and a separate stack. If you want to stick with PHP, Rails or Django for the rest of your site off-board comet looks like the way to go. # 22nd May 2008, 5:02 pm

Multi-Inflection-Point Alert. Dammit, Tim, stop giving away our competitive advantages! # 26th April 2008, 6:48 pm

What’s New in Edge Rails: Easier Timezones (via) Time zones can be a nightmare to get right—if this works well it’s going to make a lot of people’s lives a whole bunch easier. # 2nd April 2008, 3:39 pm

Is your Rails app XSS safe? SafeErb is an interesting take on auto-escaping for Rails: it throws an exception if you try to render a string that hasn’t been untainted yet. # 10th January 2008, 6:46 pm

ErlyWeb vs. Ruby on Rails EC2 Performance Showdown. ErlyWeb’s peak response rate beats Rails by 47x, albeit with a hugely simplified benchmark. More interesting than the results is the idea of using EC2 for benchmarking on identical simulated hardware. # 10th December 2007, 3:27 pm

Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes. # 1st December 2007, 8:34 pm

BBC Radio Labs: Perl on Rails. BBC engineered built their own Rails clone in Perl to fit in with the BBC’s engineering infrastructure—it’s already running the new programmes guide. # 1st December 2007, 1 am

Two Weeks With Django. A Rails developer tries Django but ends up switching back to Rails. I think we could definitely take some steps towards making the initial user experience a bit smoother—currently you have to decide things like how you’ll serve static files and where you’ll keep your templates. Once you’ve got that lot set up it’s mostly plain sailing but it does mean there’s a bit of a bump in the learning curve. # 15th October 2007, 9:51 pm

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON. # 9th October 2007, 12:23 pm

Rails 1.2.4: Maintenance release. “Session fixation attacks are mitigated by removing support for URL-based sessions”—I’ve always hated URL-based sessions; I’d be interested to hear if their removal from Rails causes legitimate problems for anyone. # 5th October 2007, 11:42 pm