Moves On Rails: Rails Security

Rails Security

bart.tenbrinke@movesonrails.com (Bart ten Brinke) — Thu, 20 Sep 2007 19:28:00 +0200

After a security presentation at RailsConfEurope 2007, I found a lot was missing, so I made this. I didn’t finish it in time for reject conf, so I posted it here. Now it's time for me to go on vacation! See you next week!

"Rails Security" by Bart ten Brinke

Thu, 11 Oct 2007 10:06:28 +0200

The to_json XSS exploit is finally fixed in rails 1.2.4 :)!

"Rails Security" by Andre Foeken

Tue, 25 Sep 2007 08:35:38 +0200

Tnx Heiko, it looks great :)

"Rails Security" by Heiko Webers

Tue, 25 Sep 2007 00:23:17 +0200

I created a Rails security cheatsheet as a follow-up. http://www.rorsecurity.info/2007/09/24/ruby-on-rails-security-cheatsheet/

"Rails Security" by Bart ten Brinke

Fri, 21 Sep 2007 10:29:17 +0200

Thanks Joseph, I fixed it.

"Rails Security" by Heiko Webers

Fri, 21 Sep 2007 09:55:25 +0200

Thanks. You can go on reading at http://www.rorsecurity.info

"Rails Security" by Joseph

Fri, 21 Sep 2007 05:07:31 +0200

Typo on slide 3: Person.find(:first, :conditions => "name = ?", [name]) should be Person.find(:first, :conditions => ["name = ?", name])

"Rails Security" by Pratik

Thu, 20 Sep 2007 21:42:41 +0200

In addition to what Bart said/presented, make sure you don't trust strip_links() and strip_tags(). http://dev.rubyonrails.org/ticket/8877

"Rails Security" by Leon Berenschot

Thu, 20 Sep 2007 20:18:19 +0200

the presentation @ railsconf missed a lot of topics indeed! Expected more out of it.... maybe next year :)