@charliesome ? Also there's the query params etc. - OpenRuby.com

Follow @openruby

rails security note « snax

blog.evanweaver.com 21 Jul '12, 5am

@charliesome ? Also there's the query params etc.

Rails Ticket 4339 suggests that there is a denial-of-service vulnerability because of the way the Rails request handler instantiates a symbol for every incoming request method. This is technically true, but turns out not to matter, as seen below. help i’m allocated and i can’t get released There are only a few valid HTTP request methods: GET , POST , PUT , etc. But Rails creates the symbol before it figures out what to do about it. If you make a FOO /index.html HTTP/1.1 request, Rails will instantiate a :foo symbol. As you know each unique symbol requires ~60 bytes of memory in the Ruby intepreter and is never garbage collected. The idea is that by spamming the server with lots of bogus request methods you can exhaust its memory space. whatever man It’s easy to write a script to exploit this with a small change to rfuzz . I ran such a script against a localhost-mounted gen...

Full article: http://blog.evanweaver.com/2006/09/18/rails-security-note/

Tweets

@lstoll » 21 Jul '12, 5am
@charliesome [link] ? Also there's the query params etc.

rails search benchmarks « snax:

blog.evanweaver.com 21 Jul '12, 1pm

Posted March 17, 2008 at 9:48 AM | Permalink You probably should make a clearer distinction between Ferret and acts_as_fer...

The Ongoing Vigil of Software Security

rubylearning.com 23 Jul '12, 1am

Think of your systems, databases, and code as a ship floating in the middle of the Atlantic. The ship was fairly hastily c...

Riding Rails: What is docrails?

weblog.rubyonrails.org 22 Jul '12, 9pm

Over the years I have seen some confusion about what is exactly docrails and how it relates to the documentation of Ruby o...

How Does Rack Parse Query Params?

rubyflow.com 13 Jul '12, 4am

How Does Rack Parse Query Params? Posted by jim on July 13, 2012 — 0 comments Noah Gibbs recently wrote about understandin...

@willybahuaud nan, c'est fourni directement par...

guides.rubyonrails.org 21 Jul '12, 8am

Rails is a web application development framework written in the Ruby language. It is designed to make programming web appl...

Riding Rails: Rails and the Enterprise:

weblog.rubyonrails.org 22 Jul '12, 5am

The Enterprise is evolving: economic crisis, a new generation of developers, new management, insane deadlines. Ruby and Ra...

Ruby on Rails Guides (edge) - #rails #ruby

edgeguides.rubyonrails.org 23 Jul '12, 10am

Ruby on Rails Guides (580fa0c) These are Edge Guides , based on the current master branch. If you are looking for the ones...

What's New in Edge Rails

afreshcup.com 25 Jul '12, 2am

is Mike Gunderloy's software development weblog, covering Ruby on Rails and whatever else I find interesting in the univer...

The Rails Way

therailsway.com 27 Jul '12, 9pm

As I mentioned in the post on managing file uploads, the most common cause of an unresponsive rails application is having ...

Europe makes smart grid security recommendations - EE Times #Enisa

Europe makes smart grid security recommendation...

eetimes.com 19 Jul '12, 2pm

PARIS – The European Network and Information Security Agency (ENISA) has published a report that makes ten recommendations...

Ruby on Rails Guides: Asset Pipeline:

guides.rubyonrails.org 18 Jul '12, 7pm

Not all caches will reliably cache content where the filename only differs by query parameters . Steve Souders recommends ...

[ANN] Rails 3.2.7.rc1 has been released! #rails

ruby-forum.com 24 Jul '12, 1am

Hi everyone! I've pushed a release candidate for Rails 3.2.7. Please try it out! If you find any bugs present in the 3.2.7...

SIA Amazing All-In Fares to Bangkok, HCMC, Hong Kong, Europe, LA, SF, etc, Book by 10 Sep 2012: [[Read more her...

SIA Amazing All-In Fares to Bangkok, HCMC, Hong...

tualobang.blogspot.com 21 Jul '12, 8am

Hi, thanks for visiting. Here's a simple FAQ for the site: 1. We provide multiple content push options: a) Subscribe to em...

Today marks 1 year since the launch of the Back...

robots.thoughtbot.com 19 Jul '12, 12am

July 18, 2011 Tagged: backbone.js workshops ruby on rails javascript Comments (View) Backbone.js on Rails: a new dynamic e...

Ну вот почему? Почему я не удивлен security vul...

spreecommerce.com 12 Jul '12, 7am

Posted July 05, 2012 by Andrew Hooker Comments We have just released several new versions of Spree which contain important...