De-Railing Security Bugs

by Jeff Lembeck

6 Reader Comments

Back to the Post
  1. Simply running `gem list` in your Rails project directory does necessarily print gems installed for this project or in your `.bundle`. You should use `bundle list` or look in Gemfile.lock.
    Copy & paste the code below to embed this comment.
  2. Thank you for catching that! Will make that change.
    Copy & paste the code below to embed this comment.
  3. Well-written, I like your simple “what can you do?” section especially. Thanks!
    Copy & paste the code below to embed this comment.
  4. Thanks for the heads up. I was pleased to learn that our host had already patched it, on dedicated servers as well as VPSes.
    Copy & paste the code below to embed this comment.
  5. As you may know, we ask users’ their birthdays during the process of creating an account. However, there was a period of time where our system security company was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.
    Copy & paste the code below to embed this comment.
  6. Rails (like most major open-source projects) has a security announcement mailing list. They also tend to post announcements to their blog, but that’s less reliable. If you run open-source software, it’s a good idea to subscribe to the relevant security lists. Also, since this article was posted, another security update (and, as a bonus, one for the JSON gem) has been released. You should now be running Rails 3.2.12, 3.1.11, 3.0.20, or 2.3.17 (as well as version 1.7.7 of the ‘json’ gem).
    Copy & paste the code below to embed this comment.