On 27 February 2010 21:15, Dudebot <craign...@gmail.com> wrote:
> Needless to say, this code is *not safe*. A user can run anything in
> that eval. In my application, only trusted users have access to
> building templates.
I don't think it's needless... I think it's extremely important to
say. For anyone reading this post and thinking it's a solution to
their problem - if anyone sat back and presented this as a "fix" to
me, I would fire them for their recklessness :-/
Regardless of how trusted your users are; a) people get spiteful on
occasion, b) they make mistakes and accidents happen, c) They might,
at some point in the future legitimately try to put code examples in
their template (don't say "they won't"... you *don't* know what people
will use your application for in six months or more...), and those
examples *might* execute with all sorts of unexpected, unpleasant
results.
*never* trust user input... rule one.
The simplest example of the general problem; a small typo in their
template will raise an exception to the front end, and they'll be
blaming you. You can't test your system, because you don't know what
code will execute. One second they're just using "@user.name", the
next they've discovered (probably because some helpful coder friend
[1] has shown them) that they can use the ternary operator, then they
go and start experimenting .... "@user.delete.... I wonder what that
will do?"... :-/
Still, if you think it's the best way to solve your problem, Craig,
fair enough - it's your code, server, and data that's at risk. But
please, you're wrong (nothing personal... I just get to see the result
of this type of "solution" time and again, and I don't want other
people to think it's a good way :-/
Best regards,
Michael
[1] I've found this tends to be the next step to solve another
"problem", and it's often at the original developer's suggestion.
User : "The templates are great, but I need to print 'Dear Mr'
if I don't know their firstname"
Developer : "Oh, that's easy with the way we've done the templates..."
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-t...@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
