http://www.reddit.com/r/netsec/comments/158g8s/hijacking_ruby_on_rails_apps_through_exposed/ FYI -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
I was concerned when I saw the title of the message, but I think the solution is as simple as just informing people to be sure that any README for Rails apps they share on GitHub (or wherever they have that token exposed), that the user of the application should change that token to a sufficiently random token, and that they should follow the security guide at http://guides.rubyonrails.org/security.html as well as keeping up with everything they can as it relates to security. In the current release version of Rails (3.2.9), the file that Rails generates resides in: config/initializers/secret_token.rb Unfortunately, it looks like the guide in 3.2.9 and master still refer to setting that value in environment.rb, even though it is set via config/initializers/secret_token.rb: https://github.com/rails/rails/blob/master/guides/source/security.md http://guides.rubyonrails.org/security.html However, the "configuring" section in 3.2.9 and master were updated to indicate that config/initializers/secret_token.rb is the place where that is stored and that it is randomly generated, per: "Applications get config.secret_key_base initialized to a random key in config/initializers/secret_token.rb." https://github.com/rails/rails/blob/master/guides/source/configuring.md http://guides.rubyonrails.org/configuring.html It may be good to add in the guide that puppet, chef, capistrano, or whatever you use to deploy/setup could be used to copy an environment-specific version of that file and to guard it and config/database.yml with your life, if security is a concern, which it usually is. Thanks for bringing this up, because it is a good idea to mention it for those sharing apps, and because it should probably be clearer in the Rails guide. Unless someone else is messing with the guide, I could update security page to note the secret_token.rb file vs. use of environment.rb and to note that for a greater (suggested) level of security, database.yml and secret_token.rb should be copied during deploy and be specific for that environment. I don''t think that is overly opinionated as a basic level of security, is it? On Friday, December 21, 2012 12:47:09 PM UTC-5, Al wrote:> > > http://www.reddit.com/r/netsec/comments/158g8s/hijacking_ruby_on_rails_apps_through_exposed/ > > FYI >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/e4uIW2tm8TwJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
On Fri, Dec 21, 2012 at 7:49 PM, Gary Weaver <garysweaver@gmail.com> wrote:> Unless someone else is messing with the guide, I could update security page > to note the secret_token.rb file vs. use of environment.rb and to note that > for a greater (suggested) level of security, database.yml and > secret_token.rb should be copied during deploy and be specific for that > environment. I don''t think that is overly opinionated as a basic level of > security, is it?Please go ahead! -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Done: https://github.com/rails/rails/pull/8581 On Friday, December 21, 2012 1:59:08 PM UTC-5, Xavier Noria wrote:> > On Fri, Dec 21, 2012 at 7:49 PM, Gary Weaver <garys...@gmail.com<javascript:>> > wrote: > > > Unless someone else is messing with the guide, I could update security > page > > to note the secret_token.rb file vs. use of environment.rb and to note > that > > for a greater (suggested) level of security, database.yml and > > secret_token.rb should be copied during deploy and be specific for that > > environment. I don''t think that is overly opinionated as a basic level > of > > security, is it? > > Please go ahead! >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/UhY2Y2QxkgsJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
That was quick :), thanks very much Gary! On Fri, Dec 21, 2012 at 9:03 PM, Gary Weaver <garysweaver@gmail.com> wrote:> Done: https://github.com/rails/rails/pull/8581 > > On Friday, December 21, 2012 1:59:08 PM UTC-5, Xavier Noria wrote: >> >> On Fri, Dec 21, 2012 at 7:49 PM, Gary Weaver <garys...@gmail.com> wrote: >> >> > Unless someone else is messing with the guide, I could update security >> > page >> > to note the secret_token.rb file vs. use of environment.rb and to note >> > that >> > for a greater (suggested) level of security, database.yml and >> > secret_token.rb should be copied during deploy and be specific for that >> > environment. I don''t think that is overly opinionated as a basic level >> > of >> > security, is it? >> >> Please go ahead! > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-core/-/UhY2Y2QxkgsJ. > > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
You''re welcome! On Friday, December 21, 2012 3:08:46 PM UTC-5, Xavier Noria wrote:> > That was quick :), thanks very much Gary! > > On Fri, Dec 21, 2012 at 9:03 PM, Gary Weaver <garys...@gmail.com<javascript:>> > wrote: > > Done: https://github.com/rails/rails/pull/8581 > > > > On Friday, December 21, 2012 1:59:08 PM UTC-5, Xavier Noria wrote: > >> > >> On Fri, Dec 21, 2012 at 7:49 PM, Gary Weaver <garys...@gmail.com> > wrote: > >> > >> > Unless someone else is messing with the guide, I could update > security > >> > page > >> > to note the secret_token.rb file vs. use of environment.rb and to > note > >> > that > >> > for a greater (suggested) level of security, database.yml and > >> > secret_token.rb should be copied during deploy and be specific for > that > >> > environment. I don''t think that is overly opinionated as a basic > level > >> > of > >> > security, is it? > >> > >> Please go ahead! > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Ruby on Rails: Core" group. > > To view this discussion on the web visit > > https://groups.google.com/d/msg/rubyonrails-core/-/UhY2Y2QxkgsJ. > > > > To post to this group, send email to rubyonra...@googlegroups.com<javascript:>. > > > To unsubscribe from this group, send email to > > rubyonrails-co...@googlegroups.com <javascript:>. > > For more options, visit this group at > > http://groups.google.com/group/rubyonrails-core?hl=en. >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/hJn2mntEwXAJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Possibly Parallel Threads
- Suggested strategies for testing a gem against Rails 3.x and Rails 4?
- Renaming Journey and avoiding libraries with common noun names
- cache-busting non-digest assets in sprockets in development a good idea? should headers in sprockets be configurable?
- #8498 postgres_adapter fix for disable_referential_integrity
- compress and max upload size?