Security + Rails =Joke?

Hi,

http://dev.rubyonrails.org/ticket/8453

http://dev.rubyonrails.org/ticket/8371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227

I came across the above by accident. While I am subscribed to the so
called rails security list where supposed announcement of security
issues were to be posted, neither of the above problem made the list.

While I use rails a lot and like it, the above mentality of deeming
something insignificant is troubling. A bug is either a security issue
or it is not. It should be left up to the end-user whether they deem
it important to them and not rails upstream.

So I guess the question remains. Do rails developers deem security as
something secondary and not worth even making a simple post (or just a
link) at the currently empty security list[1] ? Is security+rails a
joke?

- Adam

[1] - http://groups.google.com/group/rubyonrails-security/topics

All I see is a bunch of fixed issues. So you are complaining not about low security of the framework, but about how community handles it and lack of communication between individuals?

I would agree that the Security mailing list should be utilized a
little more than it is now (it's not) when a potential issue rises.
When the "XML Parsing (included malformed DTD), 99% CPU DoS Attack"
thread (http://groups.google.com/group/rubyonrails-core/browse_thread/
thread/9e62a02529ce97f1) was started back in August, I kind of
expected that to be posted to the Security group although it never
was.

I would agree that the Security mailing list should be utilized a
little more than it is now (it's not) when a potential issue rises.
When the "XML Parsing (included malformed DTD), 99% CPU DoS Attack"
thread (http://groups.google.com/group/rubyonrails-core/browse_thread/
thread/9e62a02529ce97f1) was started back in August, I kind of
expected that to be posted to the Security group although it never
was.

Sorry,

That should definitely have been posted to the security list, the post
rights are restricted and david was away on holiday when that bug was
found. This has been sorted out now.

*Exactly*. That is what I feel security list is for - communication.
Someone is using version 1.1.6 in the application and doesn't care
about the framework fixes (+new bugs) because it just works. But they
should be aware if any issues come up that can potentially affect the
security of their application.

One should be able to go to the security list and see threads like,
    [1.1.6 - 1.2.3] - XSS in to_json. to_json doesn't escape stuff.
[link to ticket]
preferably, there there should be a followup for what version the
problem was fixed and the changesets that fix it.

This is not only something for individuals but for people using rails
that is part of distributions like Debian. Debian and other distro
maintainers need to be aware of problems so these can be backported
(or checked if old release is affected).

I became aware of one of the bugs after receiving a secunia advisory
  http://secunia.com/advisories/25699/
One should be able to receive such information prior from the Rails
security list.

- Adam

Ah! I find out another potential problem..

It is possible that all these past, as well as any current, issues be
posted to the security list now? Even a simple three liners would be
nice. Something like,

I don’t remember stuff from before v1.2.3 well, but the only security features/fixes from that version to present that I can find are Request Forgery Protection (csrf killer) and these:

#8371: to_json XSS issue (mentioned in this thread)
[7589]: Secure #sanitize, #strip_tags, and #strip_links helpers against xss attacks (http://dev.rubyonrails.org/changeset/7589)