Ruby on Rails XSS attacks and timing bugs

Ruby on Rails has not been properly checking Unicode strings for XSS attacks; the flaw has been patched. In addition, Rails has a problem in which the timing of its digest processing code can be used to help attackers narrow down and eventually forge complete signatures. This bug has also been patched, and is considered a low priority because so many latencies in the system (networking, for example) add enough “jitter” to make it almost impossible to reliably exploit.

Rails 2.3.4 released

Ruby on Rails 2.3.4 has been released. In addition to containing the two patches mentioned above, it fixes more than 100 bugs (thanks to the BugMash event) and has two minor new features.

CodeRush Xpress 9.2.4 released

Developer Express has released version 9.2.4 of its free CodeRush Xpress product. If you’re looking for a Visual Studio add-in to make you a bit more efficient, I suggest you give it a spin.

Microsoft beta’s Windows Cache Extension for PHP

PHP developers deploying IIS can now start using the beta of the Windows Cache Extension for PHP. This IIS module caches PHP bytecode, which reduces the time needed to run scripts and I/O overhead. It also caches relative file path resolutions, which can speed up PHP scripts; these scripts perform a large number of path resolutions.

Red Hat cautions against using Azure

Red Hat is saying that Microsoft’s Azure cloud is an attempt to lock-in customers like vendors did in the 1980s. Well, duh. That’s been the model of every third-party vendor who hopes to host your application/content/whatever. Even Web/mail hosts make it hard to switch to a different host if you purchased your domain name through them. This is why I never trust third-party vendors and do not like to do business with them except when needed.

Is Web developers’ laziness to blame for malware?

IBM is saying that Web developers are: failing to do the kind of testing needed to catch bugs, still making the same rookie mistakes they always have, and failing to install patches, all resulting in major security problems.

There seems to be the implication here that Web developers are lazy. I think this is partially true (then again, it is more work now to have a SQL injection hole in your code than to do things the right way), but I also think that folks sometimes overlook the unrealistic expectations on many Web development projects. Too many times, management seems to think that Web developers have some magic formula or secret tool that exempts their projects from needing testing. If anything, the reliance upon third-party frameworks makes problems so much worse because there is now a massive dependency on something that gets a new version every two weeks.

Wolfram Alpha API on its way

Wolfram Alpha is working on putting together an API and opening it up to third-party developers. While Wolfram Alpha’s searches may not be as general purpose as a normal search engines, I’ve found a lot of usefulness in its data, and some apps may benefit from integrating with it.

A look at Visual Studio 2010’s architecture tools

Somasegar has a nice article about Visual Studio 2010’s built-in architecture tools. I really like what I’m seeing here; the tools look like they can put together the kinds of information that I used to slave away in Visio to do.

Java Fast Sockets make Java communications quicker on clusters

For high-performance applications in a clustered environment, Java Fast Sockets reduces much of the overhead of network communications and speeds them up.

Microsoft announces more PDC sessions

Microsoft has made public 31 additional Professional Developers Conference (PDC) sessions for the conference in November.

Start-up workshop in San Francisco

Joel Spolsky is putting together a workshop in San Francisco for Web start-up companies in November. It’s an add-on to the Business of Software conference in November and is free to anyone attending that conference.

Japanese developer “draws” Mount Fuji with HTML source code

Here’s the programming oddity of the week: a Japanese Web developer put together some extremely redundant HTML that looks just like the view of Mount Fuji from his office. It’s hard to describe… click through the link for a great laugh.

Algodoo makes physics Phun

Born out of the Phun projects, Algodoo has been released. This is a great tool for exploring physics for adults and children alike, and I encourage you to check it out.


Disclosure of Justin’s industry affiliations: Justin James has a contract with Spiceworks to write product buying guides.


Get weekly development tips in your inbox
Keep your developer skills sharp by signing up for TechRepublic’s free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!