Re: [ruby-81] automagic vulnerabilities connected to habtm

From: Shannon -jj B.
Sent on: Tuesday, August 4, 2009 1:20 AM
attr_accessible is a good start.  I think attr_protected is misleading
since no one will remember to protect all the things that really need
protecting, for example all the has_many, belongs_to, habtm, etc.
relationships.

After a lot of thinking about the subject, I blogged here:
http://jjinux.blo...­.
 Hopefully someone finds it helpful!

Happy Hacking!
-jj

On Mon, Aug 3, 2009 at 5:51 AM, Wolfram Arnold<[address removed]> wrote:
> Thanks JJ for bringing this up, and I didn't have a good answer for you. The
> gist of the other tread, is to use attr_accessible or its inverse,
> attr_protected to guard against mass-assignments in models. For any
> sensitive field (e.g. passwords) this should probably be done.
>
> Best,
>
> Wolf
>
> On Tue, Jul 28, 2009 at 9:09 PM, Shannon -jj Behrens <[address removed]>
> wrote:
>>
>> At the last meeting, I brought up the fact that
>> accepts_nested_attri­butes_for can lead to security holes that you
>> didn't expect if used incorrectly. ?I was coding something yesterday,
>> and I realized that attributes= can lead to vulnerabilities too. ?I
>> realized that almost everyone is vulnerable to this attack. ?I brought
>> this up on the SF Ruby mailing list, which many of you are probably
>> subscribed to anyway. ?There's a good thread going on. ?The most
>> important link is:
>>
>> http://railspikes...­.
>>
>> Happy Hacking!
>> -jj
>>
>> --
>> In this life we cannot do great things. We can only do small things
>> with great love. -- Mother Teresa
>> http://jjinux.blo...­
>>
>>
>>
>> --
>> Please Note: If you hit "REPLY", your message will be sent to everyone on
>> this mailing list ([address removed])
>> http://ruby.meetu...­
>> This message was sent by Shannon -jj Behrens ([address removed]) from The
>> East Bay Ruby Meetup Group.
>> To learn more about Shannon -jj Behrens, visit his/her member profile:
>> http://ruby.meetu...­
>> To unsubscribe or to update your mailing list settings, click here:
>> http://www.meetup...­
>> Meetup Support: [address removed]
>> 632 Broadway, New York, NY 10012 USA
>>
>
>
>
> --
> www.RubyFocus.biz --- San Francisco --- direct:[masked]
>
>
>
>
> --
> Please Note: If you hit "REPLY", your message will be sent to everyone on
> this mailing list ([address removed])
> This message was sent by Wolfram Arnold ([address removed]) from The
> East Bay Ruby Meetup Group.
> To learn more about Wolfram Arnold, visit his/her member profile
> To unsubscribe or to update your mailing list settings, click here
>
> Meetup Support: [address removed]
> 632 Broadway, New York, NY 10012 USA



-- 
In this life we cannot do great things. We can only do small things
with great love. -- Mother Teresa
http://jjinux.blo...­

Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy