Simon Willison’s Weblog

Blogmarks tagged security, ruby

Filters: Type: blogmark × security × ruby ×

XSS Protection by Default in Rails 3.0. Fantastic news—congratulations, Rails core team. # 8th October 2009, 4:35 pm

DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming. # 23rd August 2008, 11:11 am

Ruby’s Vulnerability Handling Debacle. The critical Ruby vulnerabilities are over a week old now but there’s still no good official patch (the security patches cause segfaults in Rails, leaving the community reliant on unofficial patches from third parties). Max Caceres has three takeaway lessons, the most important of which is to always keep a “last-known-good” branch to apply critical patches to. # 2nd July 2008, 10:39 am

Arbitrary code execution vulnerabilities in Ruby (via) Sounds nasty—integer overflows and unsafe allocs leading to memory corruption. Definite DoS and possible code injection as well. Upgrade to Ruby “1.8.5-p231, or 1.8.6-p230, or 1.8.7-p22” ASAP. # 21st June 2008, 8:44 am

Is your Rails app XSS safe? SafeErb is an interesting take on auto-escaping for Rails: it throws an exception if you try to render a string that hasn’t been untainted yet. # 10th January 2008, 6:46 pm

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON. # 9th October 2007, 12:23 pm