|
|
|
|
|
|
by ken
6562 days ago
|
|
|
So apps written in C never segfault? Proprietary platforms always have great tech support? Other programming languages always have same-day fixes? I won't make any particular claims about Ruby, but I have yet to see The Perfect Language. Every language in the world is "bad, bad platform choice" given some criteria. Moreover, from reading the advisories and comments, the only thing I can tell for certain is that you can kill a Ruby process with something like "Array.new[0x7fffffff]=0". The only way that's going to take down a Rails app is if you're putting unchecked user input directly into array indices -- but then, if you're doing that, you're probably in trouble anyway. Or if you're running a setup like Heroku, and you let users run a Ruby console. (Maybe. I don't actually know how Heroku works.) To the nearest percent, that describes 0% of Rails apps. Can anybody describe how this would actually be used to attack a typical website running Rails? |
|
|
An attacker could study the code paths of popular ruby based open-source projects to craft special attack inputs that exploit the weaknesses in Array and/or String.