[Radiant] Radiant Site Hacked
Sean Cribbs
seancribbs at gmail.com
Mon Jul 23 08:44:19 CDT 2007
Before we jump the gun, we have no _real_ idea how the attack was
accomplished. The core team is pouring over the log files to find more
information. I agree that the class-variable thing is kind of bad
practice, but it's set at the beginning of every request (and Rails only
handles one at a time), so there will be no issue with a race condition.
Sean
Andreas Schwarz wrote:
> Andrea Franz wrote:
>
>> I've not been victim of an attack...but I think it could be better
>> setting the current_user in a thread variable instead of using a
>> class variable.
>>
>> I usually use something like this:
>>
>> def set_current_user
>> Thread.current['current_user'] = current_user
>> end
>>
>
> That would only work if each request had its own thread. But Rails
> doesn't even use threads at all.
>
> http://worsethanfailure.com/Articles/The_Cost_of_Static.aspx
>
More information about the Radiant
mailing list