2/17/2006

Rails Security or Why Can't all Code be Perfect?

I was a bit alarmed (thats what happens before Cup of Coffee #2 to read this post:

WebObjects VS. Ruby

I hadn't thought of some of those things before. I have wondered though, what things would a paranoid security person have to say about Rails. So I posted to a RoR mailing list to see what they thought (forgive the ill named initial post, another side affect of doing something before Cup of Coffee #2)

http://www.ruby-forum.com/topic/54867#new

I've come to the conclusion that RoR would be no more insecure than using PHP and blindly using the _GET and _POST variables without validating them first.

I do not know anything about Ruby's taint mode and why its not turned on in Rails (not that I'm blaming Rails authors for anything) and the Rails developers may have made the decision to leave it up to the programmers.

[ RANT ]
Programmers need to take responsibility and not blame frameworks for insecure code, especially if the programmer can go look at the code for themselves. I've heard people bellyache about PEAR classes not checking input. Well, thats the programmers job and PEAR doesn't claim to do stuff like that either! What moron would pass code to code she or he didn't write without first checking the variables? Unfortunately, probably alot. But I'm not one of them and I'm not goint to sit around a gripe about it either.
[ /RANT ]

UPDATE!
Found some docs:
Securing your Rails application

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home