David finally admits that the cat is out of the bag and gives full disclosure on the critical security hole in Ruby on Rails:

With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails. This means that you can essentially take down a Rails process by starting something like /script/profiler, as the code will run for a long time and that process will be hung while it happens. Other URLs can even cause data loss.

It’s good that the RoR team has released the details of the problem and are working hard on all security aspects of the framework. They’ve even started a new mailing list for dealing with security issues. That’s a Good Thing.

But still, I’m left wondering why David decided to handle this the way he did. This exercise in security-by-obscurity certainly wouldn’t have prevented a determined person from finding the diff in the code and exploiting it. And yet it made it very difficult for admins with sites running RoR to make informed decisions on how to handle the news.

I just don’t understand, and I’m apparently not the only one…

Quoth Evan Weaver:

Core team discovered a security vulnerability in recently released 1.1.4., and then came to the conclusion, same as I did, that 1.0 and some intermediate 1.1 releases are not affected. They have provided a patch, but no explanations, which is beyond frustrating to those who have to decide whether its better to risk breaking their application by applying this mysterious patch, or continue running with a vulnerability of unknown severity.

Indeed.

The time will come when each of the other frameworks will be found to have critical security flaws as well.

The only question is… how will they handle it when it happens?

This entry was posted on Thursday, August 10th, 2006 at 10:18 pm and is filed under Ruby, Ruby on Rails. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.