I hereby claim:
- I am todb-r7 on github.
- I am todb (https://keybase.io/todb) on keybase.
- I have a public key whose fingerprint is 0E67 2077 5F5E 6596 39C8 8CFD 1EFF B682 ADB9 F193
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
This advisory concerns a security risk in all supported versions of Active Record. There is no patch to apply for this issue.
Due to the query API that Active Record supports, there is a risk of unsafe query generation in two scenarios. Databases with a table that contains a column with the same name as the table and queries with join aliases which conflict with column names could be vulnerable to an attack where the attacker can perform certain manipulations to the SQL queries generated by Rails.
A vulnerable application will either contain columns named identically to their table, or have column names which conflict with join aliases.
For example, if you had a model called SecurityToken, which contained an attribute called security_tokens
then the following code could be manipulated to return additional records:
-rwxr-xr-x root shell 33568 2013-05-10 05:13 ATFWD-daemon | |
-rwxr-xr-x root shell 96380 2013-05-10 05:13 adb | |
-rwxr-xr-x root shell 34088 2013-05-10 05:13 akmd8963 | |
-rwxr-xr-x root shell 191 2013-05-10 05:13 am | |
-rwxr-xr-x root shell 9448 2013-05-10 05:13 app6939 | |
-rwxr-xr-x root shell 9500 2013-05-10 05:13 app_process | |
-rwxr-xr-x root shell 61756 2013-05-10 05:13 applypatch | |
-rwxr-xr-x root shell 164356 2013-05-10 05:13 applypatch_static | |
-rwxr-xr-x root shell 67620 2013-05-10 05:13 ast-mm-vdec-omx-test7k | |
-rwxr-xr-x root shell 9508 2013-05-10 05:13 atrace |
Based on this conversation, I've generated a "mobile" key, KeyID 4096R/F577904A that I can use to play PGP on a phone. This key will be especially useful over DefCON when I'm travelling. Note that it is signed by my primary key, ADB9F193. Also note that it lives on a mobile device, hence, will be generally less secure than my primary key (which tends to live in offline storage unless being used).
Key 0xCE23271EF577904A is below:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQINBFOI4aMBEADLlQ2MHqqV+TupoQ9vX/UNK/S3K6WRagGgKcZJs6pcjDnr3dtz
KM6rmCU54I8ejNmXlrLsK3WiZXOIOY6kOPqWd4djobeJIACq0C+1gTJrAr3CXudM
These were generated on Jun 2, 2014. Copy and paste these values to your favorite md5sum / sha1sum checker, or verify by your eyeballs. The purpose of this page is to provide some assurance that what you think you downloaded is actually what was intended by the maintainers of http://defcoin.org, since HTTP connections to DNS-resolved web servers can be a little dicey, depending on your network.
Link | URL |
---|
# Ensure .ruby-version isn't 2.1.4 when switching branches, but change it when you get there. | |
co = !"GIT_TOP=$(git rev-parse --show-toplevel); git checkout -- $GIT_TOP/.ruby-version; \ | |
git checkout $1; echo 2.1.4 > $GIT_TOP/.ruby-version; #" |
Public Key Server -- Get `0xbd63d0a3ea19caac` | |
-----BEGIN PGP PUBLIC KEY BLOCK----- | |
Version: SKS 1.1.4 | |
Comment: Hostname: pgp.mit.edu | |
mQINBFRb3ZcBEADUru6i1+uqptYb03/dECS0yL5i3dKhKjmdpBUFAnzl2ztPltTFyC3oUEna | |
vFshtz6rxwKeBYiDEBhJI5wC6GtjnPDLLwDDb1zQYidhOBv9U0gHYJT9qhIyVo6k9M925MAa | |
K7J2XjG7qR9RTIyw74i9trFVGr/m4+W6J5o2C1V/IZmwduZSMBrwpJKBdK74sIZI2RgIKS9z | |
zZb92ggZykyOXADESG1TgNmZ+evhKT7eCujYSW/gysgODHQwJhBGOdbod5MiLmsb5fjWD1AB |
I hereby claim:
To claim this, I am signing this object:
[alias] | |
# A pretty and short commit log which notes signed commits | |
nicelog = log --pretty=format:'%Cred%h%Creset -%Creset %s %Cgreen(%cr) %C(bold blue)<%aE>%Creset [%G?]' | |
# Get the current tracking branch, eg, upstream/master | |
tracking = !"git branch -vv | grep \\* | sed 's#.*\\[\\(.*\\)[]].*#\\1#' | cut -f 1 -d :" | |
# Get the current tracking branch remote, eg, upstream | |
tracking-remote = !"git tracking | cut -f 1 -d /" | |
# Fetch and rebase from the current tracking remote, preserving and re-signing local merges. | |
fetch-preserve-merges = !"git fetch $(git tracking-remote) && \ | |
git rebase --preserve-merges && \ |
mike@rbci:~$ psql -U postgres | |
psql (9.0.3) | |
Type "help" for help. | |
postgres=# update pg_database set datallowconn = TRUE where datname = 'template0'; | |
UPDATE 1 | |
postgres=# \c template0 | |
You are now connected to database "template0". | |
template0=# update pg_database set datistemplate = FALSE where datname = 'template1'; | |
UPDATE 1 |