Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How prevalent is Rails 3 right now?

I somehow feel that defensive programming practices would have caught this bug. There is a lot of "magic" going on that lead to this exploit.

Sending text/xml to an application shouldn't have a huge impact but when you are dynamically creating objects out of the content it can lead to some serious problems.

Python has this too with pickle. However with Python it is pretty damn obvious that pickle is NOT SAFE. You also have to import it manually.



The bug has been there for 6 years and is present in virtually ALL deployed versions of Rails. Bugs happen (and they are certainly more common in dynamic frameworks like Rails)


I don't think defensive programming would have based on the current situation across a number of languages. Basically no serializer in any language PHP, Python, Rails, etc is completely safe. There are known exploits for all of them.

There is lots of magic in rails, but I bet there are a number of popular PHP and Python libraries/frameworks that are unserializing in an unsafe way.


There's an enormous difference between serializers that make any effort at all to be safe, and those like Ruby's YAML library, which make no effort. Python's YAML, for example, exposes a safe_load() method.

It's really criminally negligent that no such method exists in Ruby's YAML library.


Python's Pickle lib had something similar to safe_load(), that they removed because it gave a false sense of security.


If you are accepting pickled objects from a remote and using it ... you are an idiot.


Defensive programming in this case would be to not use a general purpose de-serializer for a format that is explicitly designed to allow serialising arbitrary objects....


Serializers aren't inherently unsafe. Look at Lisp's (read) method, for example, which does not evaluate anything.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: