[marshray]

I, too, agree with your sentiments. But I wish people would lay off of GitHub. The were mostly just a bystander here.

The real troublemakers are the Rails developers who seem to seriously believe that leaving such subtle security traps in their framework (and then blaming the developers who follow the example code) is a defensible position.

[newman314]

I disagree. Github is very much not the bystander here. They chose to use Rails (which is fine). But GH then has the onus to properly deploy their app.

An analogy would be a door that only locks with a special key in a certain sequence. IF you choose not to do so, it's merely a door. Obviously, you could argue that that's a bad default but I think that goes to the crux of the problem.

[marshray]

I'm an experienced developer, but not terribly familiar with Rails.

What do you mean "properly deploy their app"?

The sample code at rubyonrails.org looks like it has the same problem to me, i.e., it would be vulnerable if it were put into production in the right (entirely reasonable) circumstances.

[maratd]

> What do you mean "properly deploy their app"?

No matter how bad the tool actually is, only a terrible craftsman blames his tools. That's what he meant.

Both Rails and GH are at fault. Rails for not discouraging poor practices and GH for not being more familiar with their own stack.