All about a Ruby on Rails security flaw
10 August 2006, early afternoon
A serious security breach was found in the source code for Ruby on Rails. The core team announced as much, and suggested (strongly) that everyone running a Rails application upgrade immediately. The disclosure of a serious bug and a quick fix are good things. However, the Rails team felt that the bug was so serious they shouldn’t inform the community about its details; this doesn’t make too much sense.
Rails is an open source framework; the source code is available for everyone to see. When you tell everyone that version X of your software has a flaw, but version Y doesn’t, and you let people read both versions X and Y of your source code, it doesn’t take too long for people to see what was changed between versions X and Y. In fact, in this particular case it didn’t take too long at all.
So what did the Rails team gain by not disclosing the details of the bug? As far as I can tell, nothing. Since they didn’t announce what prior versions were affected by this bug, some system administrators may have patched servers that didn’t need to be patched, wasting their time and resources. That’s actually a pretty big deal. More so, the sort of people that are going to be writing scripts to “hack” Rails applications are the sorts of people that will probably know enough to run code>diff.
This is being discussed in the comments in the announcement thread, its follow-up, and in the Ruby on Rails forums. Apparently the bug still effects some systems.
Update: The Rails team discloses everything in their latest post on this topic.