8 comments

[ 2.6 ms ] story [ 29.9 ms ] thread
I can imagine there could be some files on the file system that would be useful to detect for certain types of undisclosed attacks... But anyone here have ideas about how serious of a threat this is?
The web framework that is chock-full of security blunders continues unabated.

How do people persist with it? Inertia?

Actually it's probably more secure than the vast majority of frameworks.

And certainly it's more secure by default than most web apps. Have you looked into how many PHP apps still suffer from obvious SQL injection attacks?

Well for one, its gotten a lot better and continues to get a lot better. And for two, the ruby on rails community is great. But for three: Mike Hartls beginning rails tutorial. Is there any other book like that on any other language? His book is a critical reason why I choose rails.
Because usage and popularity brings more eyes including security audits?
Doesn't seem to have notably more security issues than comparable frameworks, like Django, so I think you're probably overstating it.

It remains popular because it's a pleasant and efficient build common web apps. It's not suitable for every scenario, but it hits a pretty sweet spot in most cases. I certainly keep coming back to it, regardless of the time I spend with other tools and frameworks.

I'm betting most people have this setting already:

    irb(main):001:0> Rails.configuration.serve_static_assets
    => false
But anyhow, it's an easy upgrade since it's just the security fix.
Thanks Tom! I was wondering how could this impact our applications.