In many cases web applications save user entered data to files and deliver file uploads. You should always filter file names that come directly from the user, as an attacker could use a malicious file name to download or overwrite any file on the server. If you use a file name that the user entered […]
Tags: Rails
Railscasts has an interesting screencast on how to filter sensitive data from logs:
Are you accepting sensitive user data? Passwords, credit card numbers, etc. By default, Rails stores all submitted parameters in plain text in the logs. This episode will show you how to filter this sensitive input so it doesn't show up in the log […]
Tags: Rails
Thanks for your comments. Scott writes in a comment:
Assigning things individually is only marginally more secure, given the fact that your example contains no server side validation of data or authorization. Almost invariably, your application would have some sort of administrative interface to choose set admins, and that action could be divined in the […]
Tags: Rails
There are several login generators, user authentication plugins and access control frameworks for Rails, but most of them are declared beta. Here are the two major ones on RubyForge:
LoginGenerator
Quote: This is the popular generator for the rails framework which will outfit your application with a complete user management. It offers login, signup pages as well […]
Tags: Rails
The scaffold generator creates code like the following, which is allowedly easier to handle, but vulnerable:
@user = User.new(params[:user])
With this code, Rails will create a new user based on the values that the user entered. Any corresponding attributes in the parameter hash params will be set in the user model. Arbitrary properties of the new user […]
Tags: Rails
File privileges
On Unix systems, the file and directory access privileges are crucial for security. If you let other people write files, that the root user also writes on or executes, then your root account could be compromised. For example, an attacker could modify the apache2ctl starting script and execute arbitrary code, next time the root […]
Tags: Web server
Apache 2 introduced the multi-processing modules (MPMs), which provide networking features, accept requests and dispatch them to children to handle the request. You can choose from several MPMs at compile time in order to suit your needs.
The pre-forking server mode, which was the standard behavior in Apache 1.3, lives on in the prefork MPM, which […]
Tags: Web server
Follow-up of your comments:
Dan Kubb has some interesting comments about the OS security, and uses MySQL in a strict mode by using the sql-mode directive in my.cnf:
sql-mode = ansi,traditional,no_engine_substitution,
no_auto_value_on_zero,no_dir_in_create,
no_unsigned_subtraction
And, yes, the MySQL user I’m creating is only for “normal” Rails access, not for db migration or testing. I agree, Rails/Rake should provide means to use […]
Tags: Database (MySQL) · General
