similar to: DHH''s Post on Ruby Talk -- Rails 1.1.6: Stronger fix, backports, and full disclosure

The cat is out of the bag, so here''s the full disclosure edition of the current security vulnerability. With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails. This means that you can essentially take down a Rails process by starting something like /script/profiler, as the code

We''re still hard at work on Rails 1.2, which features all the new dandy REST stuff and more, but a serious security concern has come to our attention that needed to be addressed sooner than the release of 1.2 would allow. So here''s Rails 1.1.5! This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn''t affected by this). If you have a public

Hello, I''m writing internal slides (fr government) presenting RoR, perhaps soon in CC licence. Can you point me to some reference where "Rails History" or "Why DHH choose to develop is "own" Framework" are discuted ? In fact I try to answer the background question "Why another framework ?" Thanks! Ciao''

Hi, I''m trying to set up Substruct (shopping cart engine) on Dreamhost. I failed several times and tracked down to the problem area. I can reproduce the problem with these steps: 1. install rails 2. change public/.htaccess for fcgi 3. change public/dispatch.fcgi for RailsFCGIHandler At this step, I can execute public/dispatch.fcgi without error. 4. svn co

We''re still hard at work on Rails 1.2, which features all the new dandy REST stuff and more, but a serious security concern has come to our attention that needed to be addressed sooner than the release of 1.2 would allow. So here''s Rails 1.1.5! This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn''t affected by this). If you have a public

Hi I''m trying to freeze one of my current applications to 1.0 when I start developing a new one in 1.1.2. I''ve tried to do it this two different ways (from app root folder) 1. rake freeze_edge REVISION=3303 2. svn export http://dev.rubyonrails.org/svn/rails/tags/rel_1-0-0 vendor/rails In both cases I get similar errors: svn: PROPFIND request failed on

Hello all, I''m (sadly) on Win32, and I''m looking for a presentation app to create slides a-la DHH and others. Powerpoint is obvious, and painful to work with. Also how can a windows wonk do the formatted pasting of ruby code for the presentation ? Thanks! -- ------------------------------ Apple MacBook. Black. It''s the new White! ------------------------------

Anxiously finding it... -- http://nohmad.sub-port.net

The Chicago Area Ruby Group would like to extend a warm invitation to Ruby developers everywhere to a meetup with David Heinemeier Hansson on Saturday, April 23rd. We will start out at a Giordano''s Pizzeria downtown and afterwards move to a conference room provided by the kind folks at Site 9. The topic will most likely be Ruby on Rails and I am sure we will probably talk about

Now that Rails is doing regular updates to 1.1.x branch, is it possible to track the this release using svn:externals inside my app? Currently I have: rails http://dev.rubyonrails.org/svn/rails/tags/rel_1-1-1/ in my vendor directory. Can I change this to something like a wildcard ''rel_1-1-x'', ensuring that I always have the latest of the stable 1.1 branch? Cheers! Tom

WTF was this about? http://www.flickr.com/photos/planetargon/127984254/ Joe -- Posted via http://www.ruby-forum.com/.

Wine 1.1.4 builds, however attempts to make 1.1.5 and 1.1.6 result in: {standard input}: Assembler messages: {standard input}:7408: Warning: end of file not at end of a line; newline inserted gcc: Internal error: Segmentation fault (program cc1) Please submit a full bug report. See <http://bugzilla.redhat.com/bugzilla> for instructions. make[2]: *** [menu.o] Error 1 make[2]: Leaving

Are you using Array#in_groups_of(n, false)? That is, you want the array chopped into n groups, and if its an uneven number, you want the missing positions filled with "false". If so, please post the brief snippet where it is being used. (I''m trying to settle a bet with Mr. koz.) -- David Heinemeier Hansson http://www.loudthinking.com -- Broadcasting Brain

Hi people, As I stated in a earlier message, I am using Rails on my masters degree and soon I will have to port my application from a relational database (MySql) to a RDF semantic database called Sesame. At first, I thought that I could get away with most of the porting only by writing a decent database adapter, but then, examining AR closer, I could see that it has some strong dependencies

I haven't seen anything about this here and thought I should pass it along. christopher neitzert <chris at neitzert.com> made two postings to the full-disclosure list earlier today. They stated, in part: ***** Does anyone know of or have source related to a new, and unpublished ssh exploit? An ISP I work with has filtered all SSH connections due to several root level incidents

More patch-o-rama :-( ---Mike >From: Michal Zalewski <lcamtuf@dione.ids.pl> >To: bugtraq@securityfocus.com, <vulnwatch@securityfocus.com>, > <full-disclosure@netsys.com> >X-Nmymbofr: Nir Orb Buk >Subject: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one) >[CAN-2003-0694] >Sender: full-disclosure-admin@lists.netsys.com >X-BeenThere:

Has anyone around here heard of this ? ---Mike >Subject: Re: [Full-Disclosure] new ssh exploit? >From: christopher neitzert <chris@neitzert.com> >Reply-To: chris@neitzert.com >To: full-disclosure@lists.netsys.com >X-Mailer: Ximian Evolution 1.4.3.99 >Sender: full-disclosure-admin@lists.netsys.com >X-BeenThere: full-disclosure@lists.netsys.com

I didn''t see anyone post a link to David''s Interview by Lenz here on the list so I decided to post it. The interview can be accessed here: http://dev.mysql.com/tech-resources/interviews/david-heinemeier-hansson-rails.html I was very happy to see the interview on PlanetMySQL as just the other day I was talking about RubyOnRails on my MySQL blog which is syndicated

Freezing to 1.2.6 appears to be broken right now for two reasons. My environment is using rails 1.2.6 and rubygems 0.9.5 Attempting to freeze to 1.2.6 with this will result in this output & error: % rake rails:freeze:edge TAG=rel_1-2-6 ... ** Invoke rails:freeze:edge (first_time) ** Execute rails:freeze:edge A vendor/rails/railties . . . A vendor/rails/activesupport/MIT-LICENSE

On 1/5/06, David Heinemeier Hansson wrote: > > The lure of components is directly proportional with the pain of development. I''m not trying to be abrasive in any way but I''m curious if this attitude is related to the number of rails apps David maintains. No I don''t know how many login systems David maintains. I can understand avoiding components if a person only