YAML's security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution.
It's Not Just Ruby
A few weeks ago, I had a need to parse Jasmine's jasmine.yml in some C# code. I spent some time looking at existing YAML parsers for .NET and ended up deciding that spending a couple of hours writing a lightweight, purpose-specific parser for jasmine.yml made m...
I recently re-watched "The Lord of the Rings" (LOTR) movie trilogy. Remember the LOTR phrase, "One Ring To Rule Them All"? Could there ever be "One Programming Language To Rule Them All" (OPLTRTA)? In the early years of our industry there were loads of new languages appearing each year (History of Programming Languages). There were also attempts to create best of all worlds programming languages. PL/I was an attempt to take parts of ALGOL, FORTRAN, COBOL, and added numerous data types, dynam...
On June 2, 2011 the US Department of Labor's Bureau of Labor Statistics reported a 1.8% (annual rate) increase in non-farm business sector labor during the first quarter of 2011. For the manufacturing sector there was a 4.2% growth in productivity for Q1 2011. Most businesses measure the productivity of their employees. In Software Project Management we can measure the completion of development milestones, feature completion, bug close ratios, check-ins, and other aspects of developing software...
The Rails 3.1 Release Candidate announcement contained news of many new and useful features, plus these regretful words:
has_secure_password: Dead-simple BCrypt-based passwords. Now there’s no excuse not to roll your own authentication scheme.
I will briefly provide an excuse.
"Simple BCrypt-based passwords" is a reasonable feature, but shouldn't be mistaken for end-to-end authentication, or even a substantial subset of that problem. Web site authentication in the real world is a far harder...
This morning, I saw two different posts from Rails developers who were newly learning ASP.NET MVC, both bemoaning the fact that ASP.NET MVC does not supply/force upon you one particular ORM. The dependency on ActiveRecord is, to my way of thinking, a shortcoming of Rails, which the Rails community is presently doing an exceptional job of fixing. The best way to learn from that mistake is to not repeat it.
Yes, it is true that ASP.NET MVC does not force you to use one particular ORM. Yes, that...
A couple weeks ago, I wrote a post noting that I liked the lightweight nature of the Ruby web framework Merb. Today comes the news that Merb and Rails will be merging in Rails 3. People who see Merb as the "anti-Rails" seem to find this surprising. But people who see Merb as "Rails done right/better" are enthusiastic about it. It's hard to blame the developers for being more interested in pleasing the latter group. When you read through the list of "What Does That Mean, Exactly?" at this link, I...
Embarcadero products are finalists in four of the 19th Annual Jolt Product Excellence Awards! JBuilder, ER/Studio Enterprise Portal, Change Manager, and 3rdRail are finalists. We've won several Jolt Awards in the past and are very proud to be finalists again.
Change and Configuration Management
AccuRev (AccuRev)
Change Manager (Embarcadero Technologies)
JetBrains TeamCity (JetBrains TeamCity)
OpenMake Meister (OpenMake Software)
Plastic SCM (Codice Software)
Database Engines ...
It's official - 3rdRail version 2.0 and the first edition of TurboRuby have been announced and released. The feature matrix (PDF) document tells you what capabilities are available in 3rdRail and TurboRuby.
Yukihiro Matsumoto, creator of the Ruby programming language, said in the press release, “I am really pleased that Embarcadero supports the language I designed. It is especially impressive that 3rdRail gives consideration to everyone from beginner to expert. The new edition of TurboRuby ha...
Original post (5/29/2008):
This Saturday, May 31, at 10am Pacific Time, I'll be appearing on the GeekSpeak program on KUSP FM radio here in Santa Cruz. KUSP streams live on the Internet (34k mp3 stream / 128k mp3 stream). The show will also be available as a podcast on NPR.
The description for this week show:
Software Development Tools - IDEs allow quicker and easier development of applications, but how does one go about creating a good IDE? Guest David Intersimone from CodeGear will ...
This week, CodeGear announced the availability of the Japanese language version of 3rdRail, our Ruby on Rails development environment. A press conference was held in Japan this week to announce a business collaboration with CodeGear, Open Source Japan, and Network Applied Communication Laboratory (NaCl) to drive enterprise Ruby on Rails adoption in Japan. In the press release and conference, Yukihiro Matsumoto, the creator of the Ruby language and NaCl Fellow, said, "CodeGear has a longstanding...