Past weeks were busy for Ruby on Rails core team and appsec people looking at the framework’s security. Yesterday, core rails member Aaron Patterson announced three Ruby on Rails security issues affecting latest versions and obviously all the web applications out there built on affected issues.
Today I was working over a new tabular output for Codesake::Dawn and I faced a problem. Vulnerabilities have a very long description that breaks all formatting resulting in something unreadable.
The “Ruby Programming Language” doesn’t help me that much. I wondered String class already has something similiar but I was wrong. Also both PrettyPrint and its releated pp libraries didn’t help me in breaking up a long text justifying at a certain width.
Since it doesn’t seem to be a difficult implementation, I spent a couple of minutes reiventing (must check if I do reinvent it) the wheel.
It was a busy month. Web sites out there are still attacked by villains and the first Codesake::Dawn major release was out this week. That’s because I didn’t post anything since last December.
Today, I want to share a consideration coming out from a discussion I had a couple of days ago:
Bugs are by definition security issues.
Do you agree with that? I don’t, and let’s see why.
Wow, last week it was very busy in the ruby security annonuncement discussion group. A bunch of six new vulnerabilities were announced and, most of them, are cross site scripting issues. This is bad for a problem floating around those places since more than a decade.