Matt Kull on 27 Jun 2007 19:43:42 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PhillyOnRails] Re: talk Digest, Vol 21, Issue 29


I am using Capistrano on Windows XP Professional.  I have not had any issues really.  I am certainly not an expert but let me know any specific issues you have and I might be able to help.

As far as passwords echoing to terminal, no fix for that.  I have not had any issues with transfers.  I am using svnserve, not svn+ssh.

Matt Kull

On 6/27/07, talk-request@phillyonrails.org < talk-request@phillyonrails.org> wrote:
Send talk mailing list submissions to
        talk@phillyonrails.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.phillyonrails.org/mailman/listinfo/talk
or, via email, send a message with subject or body 'help' to
        talk-request@phillyonrails.org

You can reach the person managing the list at
        talk-owner@phillyonrails.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of talk digest..."


Today's Topics:

   1. Re: ModSecurity / PHPIDS (Darian Anthony Patrick)
   2. Re: Meeting Recap (Darian Anthony Patrick)
   3. Re: ModSecurity / PHPIDS (Keith Fitzgerald)
   4. Aptana and some "industrial grade" RDBMS-ness on a        "where to
      find a cheap Enterprise Server"... (GREG NEELEY)
   5. Re: ModSecurity / PHPIDS (Mat Schaffer)
   6. Re: ModSecurity / PHPIDS (Keith Fitzgerald)
   7. Re: Meeting Recap (Darian Anthony Patrick)
   8. capistrano on windows (Mat Schaffer)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 Jun 2007 16:22:36 -0400
From: Darian Anthony Patrick < darian@criticode.com>
Subject: Re: [PhillyOnRails] ModSecurity / PHPIDS
To: talk@phillyonrails.org
Message-ID: <4681758C.7060900@criticode.com"> 4681758C.7060900@criticode.com>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keith Fitzgerald wrote:
> Just a thought: it'd be pretty cool to build in pen testing for RoR. If
> anyone is interested in collaborating on such a project, I'd be very
> interested.

Keith,

I'm curious what you mean by "build in" pen testing.  How so?

- --
Darian Anthony Patrick, ZCE, GWAS
Principal, Application Development
Criticode LLC
(215) 240-6566 Office
(866) 789-2992 Facsimile
Web:   http://criticode.com
Email: darian@criticode.com
JID:   darian@jabber.criticode.net
-----BEGIN PGP SIGNATURE-----

iD8DBQFGgXWLKpzEXPWA4IcRAuXeAJ9vmAYadzA2sBg19Zthd7JpGt70BwCgjmyE
PP6xltz+EkfdJv5CvQDBnas=
=jJ+9
-----END PGP SIGNATURE-----


------------------------------

Message: 2
Date: Tue, 26 Jun 2007 17:11:03 -0400
From: Darian Anthony Patrick <darian@criticode.com >
Subject: Re: [PhillyOnRails] Meeting Recap
To: talk@phillyonrails.org
Message-ID: <468180E7.5060504@criticode.com">468180E7.5060504@criticode.com >
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Erin Mulder wrote:
> Colin Bartlett volunteered to talk about rspec, Allen Fair is going to
> step up to the plate and give an Email In/Out of Ruby talk, and I'm
> already slotted to do a talk next month on Deployment Options.  If any
> of you are up for speaking on other topics on this list (or have other
> ideas), please email organizers@phillyonrails.org and let us know!

When is that Email In/Out of Ruby talk happening?

- --
Darian Anthony Patrick, ZCE, GWAS
Principal, Application Development
Criticode LLC
(215) 240-6566 Office
(866) 789-2992 Facsimile
Web:   http://criticode.com
Email: darian@criticode.com
JID:   darian@jabber.criticode.net
-----BEGIN PGP SIGNATURE-----

iD8DBQFGgYDnKpzEXPWA4IcRArfPAJ0eimT5azyFunzaX+m24T/ey5l7bgCfVAZl
6syBL2fdcxgdkoM7SBkpdAE=
=SKwj
-----END PGP SIGNATURE-----


------------------------------

Message: 3
Date: Tue, 26 Jun 2007 17:13:54 -0400
From: "Keith Fitzgerald" < kfitzgerald@gmail.com>
Subject: Re: [PhillyOnRails] ModSecurity / PHPIDS
To: talk@phillyonrails.org
Message-ID:
        <b78316ea0706261413l69caa984u9325fd0293a7fc0a@mail.gmail.com"> b78316ea0706261413l69caa984u9325fd0293a7fc0a@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

well i guess i [poorly] wrote two statements in that email. one dealing with
run time security and one random thought about checking your application for
holes pre-deployment.

regarding pre-deployment security, i imagine it would be pretty easy to
check for common cases that *could* lead to xss exploits. i.e. many
applications simply just trust user input and do not validate.

or for example, rails by default allows GET as well as POST submissions. an
easy test would be to check GET requests are blocked in form action. unless
this is no longer default behavior?

On 6/26/07, Darian Anthony Patrick < darian@criticode.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Keith Fitzgerald wrote:
> > Just a thought: it'd be pretty cool to build in pen testing for RoR. If
> > anyone is interested in collaborating on such a project, I'd be very
> > interested.
>
> Keith,
>
> I'm curious what you mean by "build in" pen testing.  How so?
>
> - --
> Darian Anthony Patrick, ZCE, GWAS
> Principal, Application Development
> Criticode LLC
> (215) 240-6566 Office
> (866) 789-2992 Facsimile
> Web:   http://criticode.com
> Email: darian@criticode.com
> JID:   darian@jabber.criticode.net
> -----BEGIN PGP SIGNATURE-----
>
> iD8DBQFGgXWLKpzEXPWA4IcRAuXeAJ9vmAYadzA2sBg19Zthd7JpGt70BwCgjmyE
> PP6xltz+EkfdJv5CvQDBnas=
> =jJ+9
> -----END PGP SIGNATURE-----
> _______________________________________________
> To unsubscribe or change your settings, visit:
> http://lists.phillyonrails.org/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.phillyonrails.org/pipermail/talk/attachments/20070626/18265324/attachment-0001.html

------------------------------

Message: 4
Date: Tue, 26 Jun 2007 19:25:55 -0700 (PDT)
From: GREG NEELEY <greg_w_neely@yahoo.com>
Subject: [PhillyOnRails] Aptana and some "industrial grade" RDBMS-ness
        on a    "where to find a cheap Enterprise Server"...
To: talk@phillyonrails.org
Message-ID: <822441.18111.qm@web82801.mail.mud.yahoo.com"> 822441.18111.qm@web82801.mail.mud.yahoo.com>
Content-Type: text/plain; charset="us-ascii"

June 26, 2007

http://www.novell.com/products/openworkgroupsuite/howtobuy.html

"The West is the best" - J. Morrison

Thanks to all for APTANA tips, including LINUX successes.

Tried to download the Enterprise editions (comes with William Shatner:-) of
the "oldies but goodies": DB2 9 Enterprise for Linux, and Oracle 10g for LINUX (x86).

?Por que? (that means, "why?" in Spanish for those concerned with the immigration bill;-)

The APTANA IDE for LINUX has connectivity drivers for both the Oracle and IBM RDBMS products, so why not?
Why not have some industrial-grade RDBMS servers available under the hood if using APTANA for Rails work?

The "free download" sticker shocker?  The IBM RDBMS product, DB2 9 Enterprise for LINUX, installed without any warning on
a desktop version of Suse Linux (Enterprise Desktop 10), after electronic stating clearly, "installation successful", and is hence partially, but not completely, dysfunctional; only Suse Enterprise Server products from NOVELL (not the desktop variants) are among those supported by IBM  (Egads!!!, Gadzooks!!!, and  General Badness!!!...).

Huzzah!!! that the Oracle 10G download at least gave me an idiot light saying, "you need a different OS, guy", and did NOT proceed with the install on the Desktop 10 LINUX variant from NOVELL.

And, to conclude, this explains URL at the top.  Not a bad deal from NOVELL on Suse "Captain Kirk" Server 9, bundled with the WorkGroup Collaboration suite.  I've read the word, "collaborate" used by Philly on Rails members more times than "Show Me the Money, Jerry" (my personal fave):-)

Looking at these prices at the above URL, a lot of us spend that much money on beer in a month:-)

Onward through the fog,
Greg in KC.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.phillyonrails.org/pipermail/talk/attachments/20070626/ca9af6b8/attachment-0001.html

------------------------------

Message: 5
Date: Wed, 27 Jun 2007 09:15:24 -0400
From: Mat Schaffer <schapht@gmail.com>
Subject: Re: [PhillyOnRails] ModSecurity / PHPIDS
To: talk@phillyonrails.org
Message-ID: <FED2C211-7A50-4FFB-A7E3-0A63C7FE1690@gmail.com">FED2C211-7A50-4FFB-A7E3-0A63C7FE1690@gmail.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

On Jun 26, 2007, at 5:13 PM, Keith Fitzgerald wrote:
> regarding pre-deployment security, i imagine it would be pretty
> easy to check for common cases that *could* lead to xss exploits.
> i.e. many applications simply just trust user input and do not
> validate.
>
> or for example, rails by default allows GET as well as POST
> submissions. an easy test would be to check GET requests are
> blocked in form action. unless this is no longer default behavior?

I could see this being implemented as warnings during functional or
integration testing.  Perhaps with some sort of meta-programming to
bring requirement down to one statement?  Just thinking out loud
here, really.
-Mat


------------------------------

Message: 6
Date: Wed, 27 Jun 2007 09:24:32 -0400
From: "Keith Fitzgerald" <kfitzgerald@gmail.com>
Subject: Re: [PhillyOnRails] ModSecurity / PHPIDS
To: talk@phillyonrails.org
Message-ID:
        <b78316ea0706270624r7af5b4dtb26c6d3fa602dd00@mail.gmail.com"> b78316ea0706270624r7af5b4dtb26c6d3fa602dd00@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

haha yeah i'm also thinking out loud. been real interested in security of
late and just got back from usenix so now i'm paranoid.

ill look around a little more and report back :-)

On 6/27/07, Mat Schaffer <schapht@gmail.com> wrote:
>
> On Jun 26, 2007, at 5:13 PM, Keith Fitzgerald wrote:
> > regarding pre-deployment security, i imagine it would be pretty
> > easy to check for common cases that *could* lead to xss exploits.
> > i.e. many applications simply just trust user input and do not
> > validate.
> >
> > or for example, rails by default allows GET as well as POST
> > submissions. an easy test would be to check GET requests are
> > blocked in form action. unless this is no longer default behavior?
>
> I could see this being implemented as warnings during functional or
> integration testing.  Perhaps with some sort of meta-programming to
> bring requirement down to one statement?  Just thinking out loud
> here, really.
> -Mat
> _______________________________________________
> To unsubscribe or change your settings, visit:
> http://lists.phillyonrails.org/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.phillyonrails.org/pipermail/talk/attachments/20070627/94712695/attachment-0001.html

------------------------------

Message: 7
Date: Wed, 27 Jun 2007 09:36:03 -0400
From: Darian Anthony Patrick <darian@criticode.com>
Subject: Re: [PhillyOnRails] Meeting Recap
To: talk@phillyonrails.org
Message-ID: <468267C3.1020300@criticode.com">468267C3.1020300@criticode.com>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Darian Anthony Patrick wrote:
> Erin Mulder wrote:
>> Colin Bartlett volunteered to talk about rspec, Allen Fair is going to
>> step up to the plate and give an Email In/Out of Ruby talk, and I'm
>> already slotted to do a talk next month on Deployment Options.  If any
>> of you are up for speaking on other topics on this list (or have other
>> ideas), please email organizers@phillyonrails.org and let us know!
>
> When is that Email In/Out of Ruby talk happening?
>

Nevermind, found it on the Meetings page.

- --
Darian Anthony Patrick, ZCE, GWAS
Principal, Application Development
Criticode LLC
(215) 240-6566 Office
(866) 789-2992 Facsimile
Web:   http://criticode.com
Email: darian@criticode.com
JID:   darian@jabber.criticode.net
-----BEGIN PGP SIGNATURE-----

iD4DBQFGgmfDKpzEXPWA4IcRAmG6AJ9P87oVha/pHnEaypY0J1NLkASyZgCWIZQO
3FAYY+BBpxFIj79b8otpsg==
=wujL
-----END PGP SIGNATURE-----


------------------------------

Message: 8
Date: Wed, 27 Jun 2007 14:55:03 -0400
From: Mat Schaffer <schapht@gmail.com >
Subject: [PhillyOnRails] capistrano on windows
To: talk@phillyonrails.org
Message-ID: <297EE022-375B-4C0D-BD71-376A8F1DFBF9@gmail.com">297EE022-375B-4C0D-BD71-376A8F1DFBF9@gmail.com >
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Any of you folks using capistrano to deploy from windows?  It doesn't
work so hot out of the box.  First since there's no termios,
passwords echo to the console.  Then transfers don't work right.  I
googled a bit, but thought I'd see if anyone here had experience.

Thanks in advance,
Mat


------------------------------

_______________________________________________
talk mailing list
talk@phillyonrails.org
http://lists.phillyonrails.org/mailman/listinfo/talk


End of talk Digest, Vol 21, Issue 29
************************************

_______________________________________________
To unsubscribe or change your settings, visit:
http://lists.phillyonrails.org/mailman/listinfo/talk