Major Security Hole Found In Rails 177
mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.
How few? (Score:5, Interesting)
too late (Score:2, Interesting)
Re:meanwhile... (Score:5, Interesting)
Re: Major Security Hole Found In Rails (Score:1, Interesting)
Re:Diff? (Score:3, Interesting)
Re:Seems to be a SQL injection sploit (Score:3, Interesting)
Re:Patch details (Score:3, Interesting)
The splotlight can be merciless (Score:2, Interesting)
Some part of the growth of Ruby's recognition may be explainable in terms of the protracted development of Perl 6 and its ever-more baroque syntax, dissatisfaction with the Java-like direction the PHP language has been taking, and some waning interest with the cost of developing Java solutions to problems that are not compute-bound. I suspect that it is the dissatisfaction of web developers with the direction of their tools that makes them most susceptible to the siren call of new languages, especially those professing the ability to write the same programs in a much shorter period of time with more clarity. Application developers are slower to adopt the use of new languages outside of the domains of scripting and plug-in development, with the majority of desktop software meant for the home user still being developed in C, C++, and in the case of the growing Apple market: Objective-C.
It is because of this obstinacy that application developers have that much of the early successes of languages like Python and Ruby rise upward by following Java's path into the back-end with what become flagship projects that come to represent the language to adopters and spectators in its early form. Python had its Zope and now Ruby has its Rails.
Unfortunately this monocular fixation is a double-edged sword, and just as the successes of Rails can raise Ruby itself upward and spark new interest in developers that will branch out the competency of the available libraries, bad publicity for Rails could mute continued interest in Ruby, and losing the favor of its current famous advocates could spell the death of its potential to breach outward into a larger audience. It is for this reason that it is important for Ruby developers to ardently diversify the public successes of Ruby so that the sensational headlines of the Internet news cycle and the fickle nature of developer fashion do not spell an end to a promising beginning.
Flaws in software are inevitable, but when the spotlight is shining down upon you it is the spectacle of these flaws that will be remembered by the over-sensitive minds of managers when the time comes to decide what architecture to use for new developments. Diversifying the splotlight of Ruby will make it less susceptible to such damage.