Jim Weirich wrote:
> Kris Leech wrote:
>> Patrick Hurley wrote:
>>> On 6/16/06, Austin Ziegler <halostatue / gmail.com> wrote:
>>>> That's not the point of ZenObfuscate. It doesn't turn Ruby into a
>>>> "static" language. If you want to prevent code injection, you need to
>>>> defend against it in your application.
>>> 
>>> I believe that the injection he is talking about after the application
>>> is deployed with rails still in plain text view, having someone open
>>> the rails files and add code that could over write methods, etc. 
>> 
>> Yes that is what I talk of.
> 
> But if anyone has access to the files comprising the application, they 
> could completely replace the files with whatever they wanted.  Even 
> compiled/ofuscated code isn't a remedy for that.
> 
>> Anyone with a basic understanding of Ruby/Rails could insert code access 
>> the database using activerecord.
> 
> Actually, anyone with access to the database could modify the database 
> without needing to go through activerecord.

Of course, if you can inject ruby code you can do anything.

> 
> If you are worried about these things, then (1) control access to the 
> program files, and (2) control access to the database.

What if server access is none controllable eg. shared servers.
And if you are on the server you can read database.yml (plain text), and 
as said insert code.

> 
> -- Jim Weirich


-- 
Posted via http://www.ruby-forum.com/.