Hacker News new | ask | show | jobs
by lnanek 5213 days ago
This reminds me of how PHP used to turn HTTP request variables directly into global programming variables by default. Now it only happens when you enable the register_globals option. I don't think I've ever met anyone who didn't consider it a huge security issue.

This rails behavior is actually even more powerful than the old PHP one for hackers because with this you get directly into the model and then the DB when everything is still left as generated, not just the temporary variables. It's actually pretty surprising how much resistance there is to fixing the issue.

It could be that the proposed whitelisting isn't the only solution. It does require annoying configuration. With PHP, nowadays, most people just access a particular array when they want their request variables. Similarly, maybe Rails could have a request model object and a DB model object with simple methods for copying state between the two. Maybe combine it into some sort of validation logic with user friendly error messages being specified. I guess it is still more work that default overwriting of the DB with request variables, though.
2 comments
Jach 5213 days ago
I was also thinking of PHP's register_globals. I was tempted to make a snide remark, so I'll make it now. The difference here is that the PHP group realized register_globals was a bad idea, deprecated it in 5.3 and removed it in 5.4. Furthermore the default has been OFF since 4.2.0. The resistance to fixing the Rails problem just makes me ever less likely to give Rails a shot, it should be really bad PR when you ignore security issues.
link
kijin 5213 days ago
Welcome to the new decade, where PHP has secure defaults and Rails apps get pwn'd left right and center.

But seriously, PHP still has lots of problems to fix.

link
maratd 5213 days ago
> But seriously, PHP still has lots of problems to fix.

Like what?

link
kijin 5213 days ago
Inconsistent error handling, for example. Why do some functions fail silently, some functions return false, some functions produce warnings, some functions throw exceptions, and some functions tell you to call another function to retrieve the error code?

Ruby and Python are much more consistent in that regard.

link
getsat 5213 days ago
http://phpsadness.com/

http://www.reddit.com/r/lolphp/

Among others...

link
maratd 5213 days ago
If the best you can do is close to a year stale and doesn't apply to the latest version, I'd say PHP is doing a fine job.

Also, reddit? Really?

link
masklinn 5213 days ago
> If the best you can do is close to a year stale and doesn't apply to the latest version

Really? 5.4 has fixed the retarded associativity of the ternary and all error reporting?

link
blasterford 5213 days ago
The lesson here is if you care about security, performance, reliability etc, use old 'uncool' battle worn languages/platforms.
link
qeorge 5213 days ago
I like the approach Yii (PHP framework) takes:

http://www.yiiframework.com/wiki/161/understanding-safe-vali...

If a field doesn't have any validation rules set it will be thrown out when you save the model. This way you won't mass-assign to a column that was never meant to be mutable. Its a little more work to get up and running, but I think its a good tradeoff.

(You do have the option of turning this off, but you'd have to do it intentionally).

link