|
I never really realized how big security risk file uploads are. MIME type sniffing, arbitrary Content-Type, Content-Disposition: inline and the like make it almost impossible to make serving user-uploaded files secure in a cross-browser manner unless you're extremely careful. Especially if you're serving the files from the same domain.
Smol fucked around with this message at 15:37 on May 24, 2013 |
# ? May 24, 2013 15:31 |
|
|
# ? May 15, 2024 03:07 |
What does `|=` actually do in ruby? I can't find any info on it other than that it's an operator, and performs assignment.
|
|
# ? May 24, 2013 16:07 |
|
A MIRACLE posted:What does `|=` actually do in ruby? I can't find any info on it other than that it's an operator, and performs assignment. It's actually '||=', and it's the conditional assignment operator - you commonly see it in lazy computation of values: code:
|
# ? May 24, 2013 16:12 |
|
Assuming that you mean '||=', 'x ||= y' is equivalent to 'x || x = y'.
|
# ? May 24, 2013 16:17 |
No, I literally mean the `|=' operator. My friend asked me about it and I didn't know what to tell him. http://www.tutorialspoint.com/ruby/ruby_operators.htm They list it at the bottom along with some others I've never seen or used before. e: looks like some combination of bitwise OR with assignment. A MIRACLE fucked around with this message at 16:35 on May 24, 2013 |
|
# ? May 24, 2013 16:32 |
|
A MIRACLE posted:No, I literally mean the `|=' operator. My friend asked me about it and I didn't know what to tell him. It's the same as writing: code:
code:
|
# ? May 24, 2013 17:56 |
|
More generally, writing an expression like 'x op= y' is equal to 'x = (x op y)', except in the case of conditional operator assignment (||= and &&=), where it means 'x op (x = y)'. The difference is small, but in practice it means that the left-hand side (x in my examples) isn't necessarily assigned to at all.
Smol fucked around with this message at 18:29 on May 24, 2013 |
# ? May 24, 2013 18:24 |
|
Smol posted:I never really realized how big security risk file uploads are. MIME type sniffing, arbitrary Content-Type, Content-Disposition: inline and the like make it almost impossible to make serving user-uploaded files secure in a cross-browser manner unless you're extremely careful. Especially if you're serving the files from the same domain. Fortunately you can use carrierwave or paperclip to do the hard parts, and if you use S3 instead of the same domain it'll even work well on Heroku.
|
# ? May 24, 2013 18:56 |
|
Cocoa Crispies posted:Fortunately you can use carrierwave or paperclip to do the hard parts, and if you use S3 instead of the same domain it'll even work well on Heroku. I wish that was that simple. Paperclip has some options to enhance security, but they're not enough. For example, if you allow the users to determine the file extension and display the attachments inline, IE8 users (not sure about IE9+) are open for XSS injection. If the following file served with 'Content-Type: application/pdf' and 'Content-Disposition: inline; filename="originalfilename.html"', IE8 will sniff that it's actually a HTML file, allowing for easy XSS attacks against the careless user who clicks 'Open'. You can even throw a fake PDF header like "%PDF1.3" in the beginning of the file to thwart most MIME type sniffers, while IE will still happily interpret it as a HTML file. Fortunately IE8+ doesn't upsniff anything served with a image/foo Content-Type, but e.g. application/pdf still works. code:
Smol fucked around with this message at 19:38 on May 24, 2013 |
# ? May 24, 2013 19:36 |
|
Smol posted:I wish that was that simple. Paperclip has some options to enhance security, but they're not enough. For example, if you allow the users to determine the file extension and display the attachments inline, IE8 users (not sure about IE9+) are open for XSS injection. If the following file served with 'Content-Type: application/pdf' and 'Content-Disposition: inline; filename="originalfilename.html"', IE8 will sniff that it's actually a HTML file, allowing for easy XSS attacks against the careless user who clicks 'Open'. You can even throw a fake PDF header like "%PDF1.3" in the beginning of the file to thwart most MIME type sniffers, while IE will still happily interpret it as a HTML file. Putting them on a different domain solves XSS; it's why GitHub moved Pages to github.io, why Dropbox has unprocessed file downloads on dropboxusercontent.com, etc. Don't let users upload and thumbnail EPS files either.
|
# ? May 24, 2013 20:05 |
|
Yep, it's that hard. Makes authenticated downloads quite tricky.
|
# ? May 25, 2013 01:43 |
|
Can you use send_file for authenticated downloads?
|
# ? May 25, 2013 07:21 |
|
Can someone point me towards a good overview of the threading model for rails web apps? I'm slightly embarrassed to admit I don't really know how the architecture is set up to deal with concurrent users on an rails app (the ruby side of things that is, not the database).
|
# ? May 31, 2013 17:07 |
|
Lexicon posted:Can someone point me towards a good overview of the threading model for rails web apps? I'm slightly embarrassed to admit I don't really know how the architecture is set up to deal with concurrent users on an rails app (the ruby side of things that is, not the database). It depends on the app server you use, and if your Rails stack is loading Rack::Lock. The long version is Unicorn uses multiple UNIX processes to handle parallel requests, Rainbows handles multiple requests in a single process with a variety of configurable techniques, Passenger uses multiple processes, Puma uses threads, and if you're using Webrick in production kill yourself.
|
# ? May 31, 2013 21:11 |
|
Cocoa Crispies posted:It depends on the app server you use, and if your Rails stack is loading Rack::Lock.
|
# ? May 31, 2013 21:16 |
|
I thought ranbows was just unicorn with buffering
|
# ? May 31, 2013 22:06 |
|
What the hell is Rainbows? I think you're thinking of Rainbows!.
|
# ? May 31, 2013 22:45 |
|
Pardot posted:I thought ranbows was just unicorn with buffering "Combines heavyweight concurrency (worker processes) with lightweight concurrency (Events/Fibers/Actors/Threads), allowing CPU/memory/disk to be scaled independently of client connections. More concurrency models (listed in the TODO) will be supported as we find time for them." It's not as bad in modern Ruby, but the GC in older Rubies meant that forked processes were more RAM-hungry than they should be in a copy-on-write environment like modern UNIX. Rainbows needs to fork less than Unicorn to handle the same number of clients; the downside is your app has to be threadsafe. I've used it to perform encryption and accounting on uploads between clients and Riak CS, while other parts of the service ran on separate Unicorn machines. Molten Llama posted:What the hell is Rainbows? I don't negotiate with terrorists and I don't engage in typographic fuckery for the sake of branding.
|
# ? Jun 1, 2013 05:26 |
|
I'm having some trouble with Passenger and my Googling doesn't seem to be fixing it. Recently I tried to upgrade from 3.0.7 to 3.0.19 on our main servers and I was met with the lovely Red Hat Linux Apache Test Default Page thingy. I immediately downgraded to 3.0.7 and have given up on that. Today I tried to upgrade from 2.2.8 to 3.0.7 (thinking that 3.0.7 was a version that would work for me) and I ran into the same problem. Again I had to immediately downgrade back to the working version as this brought down some production sites. Does anyone have any insight into why this might be happening?
|
# ? Jun 4, 2013 04:25 |
|
So what did you do, exactly? Ran passenger-install-apache2-module, copy-pasted the new configuration and restarted apache? Anyhow, apache's error logs will likely tell you something.
|
# ? Jun 4, 2013 06:48 |
|
That's what I did yeah. Apache's error logs didn't say much but I didn't have a ton of time to test it out. Guess i'll have to try it again tonight while tailing the logs. Doesn't help that I'm behind a load balancer that won't let me connect directly to either server, so I have to do everything twice.
|
# ? Jun 4, 2013 15:41 |
|
If you're editing on the server, use curl to test it so you don't have to deal with a balancer. Last time I set up Apache I edited a config file that wasn't being included or loaded, so double-check that. Make a very obvious syntax error and see if apachectl -t whines about it, and make sure the vhost is being set up right with apachectl -S.
|
# ? Jun 4, 2013 16:42 |
|
You need something like all this:code:
|
# ? Jun 4, 2013 18:51 |
|
I like Ruby. It's pretty cool. I'm pretty new to Rails, though, and I'm trying to do a thing that I can't figure out. I want to be able to input some values in a form, and use those fields/values for HTTP GET requests to some other website's API, then display whatever comes back on the page. The part I'm having trouble with is I don't really understand how forms even work!! I'm reading guides.rubyonrails.org stuff and thinking that I want to be using ActiveRecord callbacks but if someone could clearly describe to me how this stuff works on a fundamental level I would appreciate it.
|
# ? Jun 5, 2013 15:41 |
|
ARACHNOTRON posted:I like Ruby. It's pretty cool. I'm pretty new to Rails, though, and I'm trying to do a thing that I can't figure out. Form GET and POST elements come in on the params hash. Use the appropriate part of that hash to initialize a model that encapsulates the external API request. Models don't have to be ActiveRecord, you don't have to use form_for (you can just use form_tag), and shipping software counts for more than the perfect little object hierarchy.
|
# ? Jun 5, 2013 19:01 |
|
I'm confused. Use Jquery's ajax or better yet add :remote => true to your form and allow the controller to respond to js requests.
|
# ? Jun 6, 2013 01:47 |
|
Cocoa Crispies posted:Form GET and POST elements come in on the params hash. Use the appropriate part of that hash to initialize a model that encapsulates the external API request. Models don't have to be ActiveRecord, you don't have to use form_for (you can just use form_tag), and shipping software counts for more than the perfect little object hierarchy. Thanks for the more concise explanation. I looked into it a little more and wrote up this quickly: code:
|
# ? Jun 6, 2013 16:10 |
|
I'm creating a model method for a user to check if they have a certain relationship based on criteria given. For example: code:
=> [#<CellaredBeer id: 143, user_id: 1, beer_id: 1, created_at: "2013-05-23 20:33:51", updated_at: "2013-05-23 20:33:51", year: 2013, size: "750mL", qty: 1>] The idea is to be able to use this function when someone adds a beer to either update the quantity, or create a new relationship if there is no match. code:
|
# ? Jun 6, 2013 20:36 |
|
I'm trying to make a button to get a user to follow an item using the Socialization gem https://github.com/cmer/socialization The markup in the documentation in ruby is code:
code:
I'm using in my item#show view code:
code:
|
# ? Jun 6, 2013 20:57 |
|
raej posted:I'm creating a model method for a user to check if they have a certain relationship based on criteria given. Try this: code:
|
# ? Jun 7, 2013 17:10 |
|
prom candy posted:Try this: EDIT: Upon further testing, it seems to not like it only when qty is nil. If I set cb.qty to a number, += works as it should. code:
What am I missing? Also how, would I call the cellar! function on a beer view with a form? raej fucked around with this message at 17:56 on Jun 7, 2013 |
# ? Jun 7, 2013 17:25 |
|
Mr Man posted:
First off, your form isn't set up right. You're trying to pass in the followitem method as the object you're building a form for, and you're passing in a hash to the followitem method when it's expecting an object marked as 'acts_as_followable' or some poo poo. Take a step back and think about what you're actually trying to do. Here's two simple rules: 1) you cant pass an object from the client to the server, you can only pass representations and identifiers of that object. 2) you can't run ruby code on the client. So, this means you need to set up a link that POSTs back an ID of an Item object of which the current user is wanting to follow. Whether you do that by a form and hidden ID, or a simple `link_to "Follow!", follow_item_path(item), :method => :post` with a constrained route is up to you (eg, '/users/4/follow/8'). The goal of this is to just pass the ID of the Item object. Nothing more. Then, in your controller, you need to search for the item with the ID you passed in from the client, and then call the current_user.follow!(item) method using the object you found through ActiveRecord. This is a good candidate for an Ajax request, which it seems like you're trying to do, but before you even think about that get it working with plain old http request/response.
|
# ? Jun 7, 2013 17:59 |
|
UxP posted:you cant pass an object from the client to the server, you can only pass representations and identifiers of that object. These are good rules to program by. Additionally: Helpers: generate a piece of html for part of a thing (a link as part of an object, a css class for an object, a form field) Partials: generate a piece of html for an entire semi-complicated thing (a form, a complicated object representation) Views: generate html for a single screen Controllers: invoke a model method or two, turn models into view-ready representations Models: the actual business logic, including finding stuff for complicated controllers, coordinating activities between multiple materialized models, validating form inputs, etc.
|
# ? Jun 7, 2013 19:28 |
|
raej posted:EDIT: Upon further testing, it seems to not like it only when qty is nil. If I set cb.qty to a number, += works as it should. Are you sure your cellar method is saving the user_id? Try rewriting your code like this. Note that I got rid of that nasty condition for you code:
code:
prom candy fucked around with this message at 19:44 on Jun 7, 2013 |
# ? Jun 7, 2013 19:41 |
|
UxP posted:First off, your form isn't set up right. You're trying to pass in the followitem method as the object you're building a form for, and you're passing in a hash to the followitem method when it's expecting an object marked as 'acts_as_followable' or some poo poo. Take a step back and think about what you're actually trying to do. yeah I want to eventually use this in an Ajax request.. I'm just trying to get a simple http request/response running first
|
# ? Jun 7, 2013 20:18 |
|
Has anybody here ever tried using all sorts of different SQL constraints on one's schema instead of going the traditional route of letting the model logic try its best to preserve integrity? Has this turned out ok in the end, or did you regret it?
|
# ? Jun 7, 2013 21:01 |
|
DreadCthulhu posted:Has anybody here ever tried using all sorts of different SQL constraints on one's schema instead of going the traditional route of letting the model logic try its best to preserve integrity? Has this turned out ok in the end, or did you regret it? The only problem with this approach is that you'll get a generic ActiveRecord::StatementInvalid for just about any error in the database. So if you have multiple ways of something going wrong, parsing those exception messages isn't very a robust way to detect the problem.
|
# ? Jun 7, 2013 21:59 |
|
Smol posted:The only problem with this approach is that you'll get a generic ActiveRecord::StatementInvalid for just about any error in the database. So if you have multiple ways of something going wrong, parsing those exception messages isn't very a robust way to detect the problem. Let's say I'm not using ActiveRecord at all but rolling my own statements in a data access layer somewhere.
|
# ? Jun 7, 2013 22:01 |
|
DreadCthulhu posted:Let's say I'm not using ActiveRecord at all but rolling my own statements in a data access layer somewhere. Then you can do whatever. ActiveRecord is there to make working with relational databases easy, not possible; that's the job of the `pg` gem.
|
# ? Jun 8, 2013 02:47 |
|
|
# ? May 15, 2024 03:07 |
|
I'm building a Google Analytics clone http://easy-analytics.herokuapp.com/ and could use some advice on a fairly complicated thing I'm working on. Essentially, I have Websites which have many Visitors and then many Visitor Sessions and Pageviews through Visitors. I'm currently working on making a delayed job where I grab all of the data created/updated in hour long blocks and run all of the calculations needed for that hour. That way, then a user checks their analytics, I'll only need to add up hourly stats rather than each individual model. My main issue right now is figuring out how to pull all of the data from the server correctly. This is my current code: code:
code:
My other question is about delayed job itself. Is it possible to get these to work on Heroku without going with their paid plan? Any gem I should look into for doing this? Thank you!
|
# ? Jun 9, 2013 07:42 |