YAML's security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution.
It's Not Just Ruby
A few weeks ago, I had a need to parse Jasmine's jasmine.yml in some C# code. I spent some time looking at existing YAML parsers for .NET and ended up deciding that spending a couple of hours writing a lightweight, purpose-specific parser for jasmine.yml made m...
YAML's security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution.
It's Not Just Ruby
A few weeks ago, I had a need to parse Jasmine's jasmine.yml in some C# code. I spent some time looking at existing YAML parsers for .NET and ended up deciding that spending a couple of hours writing a lightweight, purpose-specific parser for jasmine.yml made m...
I recently re-watched "The Lord of the Rings" (LOTR) movie trilogy. Remember the LOTR phrase, "One Ring To Rule Them All"? Could there ever be "One Programming Language To Rule Them All" (OPLTRTA)? In the early years of our industry there were loads of new languages appearing each year (History of Programming Languages). There were also attempts to create best of all worlds programming languages. PL/I was an attempt to take parts of ALGOL, FORTRAN, COBOL, and added numerous data types, dynam...
The Rails 3.1 Release Candidate announcement contained news of many new and useful features, plus these regretful words:
has_secure_password: Dead-simple BCrypt-based passwords. Now there’s no excuse not to roll your own authentication scheme.
I will briefly provide an excuse.
"Simple BCrypt-based passwords" is a reasonable feature, but shouldn't be mistaken for end-to-end authentication, or even a substantial subset of that problem. Web site authentication in the real world is a far harder...
On June 18, 1985 I joined Borland International in Scotts Valley California. It was great to come to a developer tools and software company. It is a special treat to be able to work on developer tools and be a developer. 25 years have passed and they have all been great years. There have been some ups and downs, some changes (of company names and addresses in Scotts Valley). One thing has stayed in the same place (besides me) - the drive to continually improve, enhance and simplify this th...
Rework, by Jason Fried and David Heinemeier Hansson, cannot accurately be described as the "sequel" to the first book to come out of 37 Signals, Getting Real. As a significant percentage of the book seems to be word for word identical to text in Getting Real, I think it's more of a "remix." Getting Real focused on creating marketable web software, whereas Rework changes the focus ever so slightly to growing a business around marketable web software.
If you've read Getting Real (you can sample...
This past weekend I, along with around 50 other local geeks, volunteered three days of my time to build web applications for eight different Columbus-area nonprofits. Columbus Give Camp is based on a similar series of events in Michigan. The Columbus Give Camp was hosted by Quick Solutions, who, conveniently, are located five floors above my own office. The event was a huge success. I'm particularly proud of the work my team did, taking the project from nothing to live and in production in just ...
Embarcadero Technologies, the leading independent provider of award winning Database Tools and Developer Software, provides many ways for developers, architects, and DBAs to keep up to date. Here are just a few of the ways new and current customers can find out about our products, product updates, company news, upcoming events, and more.
Join Us! Embarcadero Developer Network(EDN) - Connect to us and get the inside track to technical updates on the Embarcadero Developer Network.
Follow Us...
Atención simpatizantes y fanáticos de Ruby on Rails: quedan cordialmente invitados a la primera conferencia dedicada al innovador framework Ruby on Rails del Cono Sur. La conferencia "Locos por Rails 2009" se llevará a cabo los días 3 y 4 de abril en Buenos Aires.
Mas información clic aqui...
A couple weeks ago, I wrote a post noting that I liked the lightweight nature of the Ruby web framework Merb. Today comes the news that Merb and Rails will be merging in Rails 3. People who see Merb as the "anti-Rails" seem to find this surprising. But people who see Merb as "Rails done right/better" are enthusiastic about it. It's hard to blame the developers for being more interested in pleasing the latter group. When you read through the list of "What Does That Mean, Exactly?" at this link, I...