Rails Security

Posted by Bart ten Brinke Thu, 20 Sep 2007 17:30:54 GMT



After a security presentation at RailsConfEurope 2007, I found a lot was missing, so I made this. I didn’t finish it in time for reject conf, so I posted it here. Now it's time for me to go on vacation! See you next week!

Comments

Leave a response

  1. Leon Berenschot said about 1 hour later:
    the presentation @ railsconf missed a lot of topics indeed! Expected more out of it.... maybe next year :)
  2. Pratik said about 2 hours later:
    In addition to what Bart said/presented, make sure you don't trust strip_links() and strip_tags(). http://dev.rubyonrails.org/ticket/8877
  3. Joseph said about 10 hours later:
    Typo on slide 3: Person.find(:first, :conditions => "name = ?", [name]) should be Person.find(:first, :conditions => ["name = ?", name])
  4. Heiko Webers said about 14 hours later:
    Thanks. You can go on reading at http://www.rorsecurity.info
  5. Bart ten Brinke said about 15 hours later:
    Thanks Joseph, I fixed it.
  6. Heiko Webers said 4 days later:
    I created a Rails security cheatsheet as a follow-up. http://www.rorsecurity.info/2007/09/24/ruby-on-rails-security-cheatsheet/
  7. Andre Foeken said 5 days later:
    Tnx Heiko, it looks great :)
  8. Bart ten Brinke said 21 days later:
    The to_json XSS exploit is finally fixed in rails 1.2.4 :)!

RSS feed for this post trackback uri

(leave url/email »)

   Preview comment