Rack - Important Security Upgrade

The RoR security issues have been depressing for me. My daughter had a credit card stolen from a web site, built on rails by a third party for the owner, the owner didn't know <i>what</i> powered the web site, they had a really "easy to use" tool for putting things up there. A code audit showed the site had been completely re-done to appear the same and provide a card harvesting service forwarding card information to the Ukraine.<p>How many more of these are there out there? tens? hundreds? thousands?

2.5 years old issue <a href="https://twitter.com/coda/status/299732877745197056" rel="nofollow">https://twitter.com/coda/status/299732877745197056</a><p>Impressive.

I searched a bit and found patches that I think help to explain what was going on and how severe things worse. I'd appreciate if anyone could confirm I found the correct stuff and if anyone could help explain what happened (in particular, I don't understand why the timing attack bug would lead to a remote code execution)<p>-----------<p>The first bug seems to be in some function that checks if you can find a file in a folder. Currently the funtion counts the number of ".."s to make sure you don't go out of the folder you started the search in (emitting an error if the depth becomes less than 0) however, this does not take into account the possibility of one of the intermediate folders in the pathbeing a symlink, meaning that the `./symlink/../bar` is not the same as `./bar` and therefore ruining the logic. The fix seems to be a hack to transform `./xxx/../b`s into `./b` by hand, without passing it to the fylesystem.<p><a href="https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30" rel="nofollow">https://github.com/rack/rack/commit/6f237e4c9fab649d37504825...</a><p>The second bug seems to have to do with `==` not being safe and them having to do a "secure compare":<p><a href="https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07" rel="nofollow">https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d6...</a><p>edit: apparently the problem here is the time that `==` takes to run depends on the inputs. This means an attacker can do multiple carefully crafted requests and use this timing information to guess your secret key stuff. I still don't know why guessing the secret stuff would lead to remote code execution though.

I never realized the rack logo used the same font that Rackspace used to use. It was a little disconcerting to see that at first.<p>For those who remember, it's the one which had 8 little rectangular machines, with one of them pulled out a bit and glowing red. I used to say it was the one that was on fire, because, well, it happens!

How bad is this? I assume they say that Rails-based sessions are secure as they are HMAC'd with a secret, which a timing attack won't break unless the Rails HMAC testing is broken.

I imagine there's going to have to be a Rails release to upgrade the Rack versions used?

Another day, another Ruby security bump. Sigh. Serious point - as Ruby seems to attract all the younger generation of programmers these days, and the current trend seems to be dev early, release early, security hole early, could this be turned around by more experienced hands joining the community?<p>Could the Ruby way become a bit safer and more secure in time?