I thought I saw a commit like this a while ago. Maybe I was wrong,
will confirm when I go back to my workstation.
Anyway, would you mind sharing why the validator doesn't think the
current implementation is valid? We might be able to do something
about it, as I generally don't think suppress the
On Feb 12, 8:05 am, Michael Koziarski mich...@koziarski.com wrote:
CSRF attacks are about using *session* data to perform an action
without the user's knowledge. The attack you're describing here,
which doesn't rely on session data, could also be performed just using
curl from the command
On Sat, Feb 12, 2011 at 6:40 AM, Mathijs bluescreen...@gmail.com wrote:
On Feb 12, 8:05 am, Michael Koziarski mich...@koziarski.com wrote:
CSRF attacks are about using *session* data to perform an action
without the user's knowledge. The attack you're describing here,
which doesn't rely on
But no matter what we think CSRF protection is about, the old behavior
was about validating every potentially harmful request, the new one a
specific type of attack, which was already covered by the old one.
So we can conclude that the security got loosened somewhat (for
reasons you mention
Nicolás,
Please don't go into details too much for the example case I came up
with.
I already mentioned in my first post, that if the poll is of any real
concern, it would of course have been put behind a login.
And while we're at it, SSL login, with a 2-tier authenticator device
and iris-scan,
On Fri, Feb 11, 2011 at 7:38 PM, Rodrigo Rosenfeld Rosas
rr.ro...@gmail.com wrote:
validates_format_of :email, :with =
/\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i
That's an unfortunate example, will replace it with something else.
--
You received this message because you are subscribed to
I'm wrong about about token is not validating against the W3
Validator; it does validate, my bad.
I was assuming this because I'm working on a site that must validate
against the Webrichtlijnen (http://www.webrichtlijnen.nl/), these are
Dutch accessibility (based on the WCAG) guidelines. One of
Well, before this starts to look as a flamewar, I will just say this:
I did not miss the details of the vulnerability, it was just not part
of our discussion about the default behavior.
The changes to CSRF protection came in 3 parts.
1-The whitelisting part is clear and I understand I now need
+1 for URL and email validators.
Allen Madsen
http://www.allenmadsen.com
On Sat, Feb 12, 2011 at 4:19 AM, Xavier Noria f...@hashref.com wrote:
On Fri, Feb 11, 2011 at 7:38 PM, Rodrigo Rosenfeld Rosas
rr.ro...@gmail.com wrote:
validates_format_of :email, :with =
oops, yes, i mixed the lists :-)
thanks koz, will check that
jk
2011/2/12 Michael Koziarski mich...@koziarski.com
On Sat, Feb 12, 2011 at 12:31 AM, Joaquin Rivera Padron
joahk...@gmail.com wrote:
hi,
with bundler we can isolate gems for given environments, is there a way
of
doing
In master, there's a regression in the new association handling cod. Way back
in a patch I submitted to 3.0 to fix similar problems with eager loading, there
was another edge case that got accidentally fixed as well.
The issue is this:
In JoinAssociation#aliased_table_name_for, the following
Pushed to master, thanks.
On Sat, Feb 12, 2011 at 5:30 PM, Ernie Miller er...@metautonomo.us wrote:
In master, there's a regression in the new association handling cod. Way back
in a patch I submitted to 3.0 to fix similar problems with eager loading,
there was another edge case that got
Hello,
I just learned that Arel support more powerful queries than in rails, e.g.
users = Arel::Table.new('users')
users.where( (users[:id].eq(1)).or(users[:id].eq(2)) )
In rails it will be
User.where( (User.arel_table[:id].eq(1)).or(User.arel_table[:id].eq(2))) )
Which is too complex. DAE
Check out the meta_where gem: https://github.com/ernie/meta_where
On 13/02/2011, at 18:16, Jan jan.h@gmail.com wrote:
Hello,
I just learned that Arel support more powerful queries than in rails, e.g.
users = Arel::Table.new('users')
users.where(
That's awesome, thanks :)
Now I just wonder why it's not in rails by default?
On Sun, Feb 13, 2011 at 3:42 PM, Ryan Bigg radarliste...@gmail.com wrote:
Check out the meta_where gem: https://github.com/ernie/meta_where
https://github.com/ernie/meta_where
On 13/02/2011, at 18:16, Jan
15 matches
Mail list logo