• Pista (unregistered)
    Steve The Cynic:
    The article:
    There are armed military personnel with assault weapons in-hand in heavily travelled areas.
    I live in France, and I pass through a major railway station every working day. Like all significant French railway stations, it features multiple groups of soldiers with assault weapons, and has done since 1992.

    The groups are usually three soldiers and a normal policeman, of the Police Nationale. (The French police are divided into two main groups, the Nationale and the Municipale. As I understand it, the Nationale are responsible for most criminal investigation, while the Municipale are responsible for local stuff like parking and moving traffic violations. There's a certain level of tension between the two groups.)

    Just a curiosity: what is the Gendarmerie for? In the past I've spent quite some time in France, but I couldn't figure out the difference between these three.

  • (cs)

    Citibike isn't a card, it's more of a key-fob.

    And you don't need the electronic card, that's just the convenience way so that you can skip the line to use your credit card at the stupid kiosk and get the bike directly.

  • filnet (unregistered)

    Yes, gendarmes are MPs.

    "Gen" can be translated to people and "arme" to weapon. So gendarme are "people of weapon"...

    That said, the gentlemen with assault weapons patrolling the French railway stations look more like people from the Légion Etrangère (Foreign Legion). I am pretty sure I have heard them talk to each other in a language other than French.

  • (cs)
    Dude:
    Shoreline:
    I don't recognise the language. Regardless, I assume this is part of a kill-switch?

    Could be Ruby

    Definitely Ruby. If you see a hash[:symbol] construct like params[:password] almost definitely Ruby. And the rest of the code shouts Rails (controller with method named destroy calling redirect_to. don't know what the missing space after redirect_to is, but w/e.)

    The method 'destroy' deletes something. In this case, it's deleting whatever the SpecificController controls, which (if the app is following rails conventions) would be "specifics." I'd tell you more but it seems the specifics have already been deleted :P

  • (cs)
    Steve The Cynic:
    I live in France, and I pass through a major railway station every working day. Like all significant French railway stations, it features multiple groups of soldiers with assault weapons, and has done since 1992.
    A few weeks ago, we were on a holiday in Paris, and when queuing for the Eiffel Tower there was an attractive young female, blonde, in military fatigues and carrying what looked like an FN P-90.

    I also remember walking in Paris in 1989 with a friend of mine, and as it happened, there was a G7 summit. A certain road, where the important people would pass, was lined with policemen (or gendarmes, can't remember) every 10 metres. All of them carrying SMGs, and every single one of them looking me in the eye. It was somewhat discomforting.

    Also, in Paris (and France in general), you'll notice that there are no rubbish bins - only transparent plastic bags.

  • faoileag (unregistered)

    Where's the WTF in the Article? Ok, someone specifies a class that does something when a submitted password matches a hardcoded one.

    Is that class ever instantiated or the base class of an instantiated class? No: -> no WTF

    Yes: ok, it gets instantiated. Is the method "destroy" ever called? No: -> no WTF

    Ok, so it gets called. If the parameter "password" matches "NewYork", the element in Team that is identified by the parameter "id" has its "destroy" method called.

    This looks like some backdoor for debugging purposes and should perhaps be removed from production code, but a WTF? A minor one maybe but nothing as grand as the DST one on monday.

  • Marvin the Martian (unregistered)
    Pete:
    The Gendarmerie ... doing stuff that would make good films or shocking news reports.
    That would then most likely be CRS. The few hours per week they leave the dojo/gym, they are not laughed at by even the craziest of hardened hooligans; I've seen three perform a kind of conjuring act where they seemingly did nothing but a heap of bruised, bleeding and broken men on the ground suggested otherwise.

    The whole police structure is different from what's been said up to now: The Gendarmerie is not the National Police.

    1/ Municipal police: works from villages to towns and smaller cities. Have territorial boundaries (cannot pursue/have authority across those). Keep order, so traffic and minor disputes; reports to the mayor. 1b/ Rural policemen ('champetres'). Game warden, forester, keeps the peace. Technically military (gendarme), reports to the mayor.

    2/ National police (used to be called National security): Does all investigative work (crimes from assault to terrorism), riot control (=CRS), identity checks, personal protection, patrol and response (with authority over all the country, so pursuits:), motorway and mountain police, ...

    3/ Gendarme: Branch of the military under the ministry of the interior (not defense!). Contains SWAT-style special forces and Military Police of course, but bulk is national security and public safety. They also do riot control and public patrolling of international gateways (airports, stations), and some investigative work under the judiciary.

    So it's clear where the tension/overlap would cause problems between services.

    Many european 'police' forces are similarly structured; 'gendarmerie' would be 'carabinieri', 'marechaussee', 'rijkswacht/gendarmerie', 'guardia civil' in Italy, Holland, Belgium and Spain respectively.

  • Keith Gregory (unregistered)
    1. More than a little tacky to post this today.

    2. A hardcoded password? Really? That's the best that the DailyWTF has to offer?

  • Matteo Settenvini (unregistered) in reply to faoileag
    faoileag:
    Where's the WTF in the Article? Ok, someone specifies a class that does something when a submitted password matches a hardcoded one.

    Is that class ever instantiated or the base class of an instantiated class? No: -> no WTF

    Yes: ok, it gets instantiated. Is the method "destroy" ever called? No: -> no WTF

    Ok, so it gets called. If the parameter "password" matches "NewYork", the element in Team that is identified by the parameter "id" has its "destroy" method called.

    The problem is that, in Rails, you can get to that controller and call a destroy method by making a HTTP request to:

    http://website/specific/1?password=New%20York

    with the DELETE HTTP verb. That will delete the team with ID 1 from the database, no questions asked.

    Which is something you can easily do from e.g. curl. If you want to remove all teams (which probably have some DELETE ON CASCADE constraints to all linked entities), a for loop suffices:

    for i in `seq 1 1000`; do 
      curl -X DELETE "http://website/specific/${i}?password=New%20York"; 
    done
    

    Have fun. Not a major WTF (you need to know the clear-text password), but surely not something you want in production. In Rails, you should rely on something like Devise to provide the authentication layer, and avoid such nonsense.

  • (cs) in reply to filnet
    filnet:
    Yes, gendarmes are MPs.

    "Gen" can be translated to people and "arme" to weapon. So gendarme are "people of weapon"...

    That said, the gentlemen with assault weapons patrolling the French railway stations look more like people from the Légion Etrangère (Foreign Legion). I am pretty sure I have heard them talk to each other in a language other than French.

    It depends. They are all some flavour of regular(*) army troops, but the exact regiment is subject to rotation.

    (*) Yes, yes, I know, the Légion Etrangère is an elite force, but it is neither "special forces" nor part of the police.

  • faoileag (unregistered) in reply to Matteo Settenvini
    Matteo Settenvini:
    The problem is that, in Rails, you can get to that controller and call a destroy method by making a HTTP request to:

    http://website/specific/1?password=New%20York

    with the DELETE HTTP verb. That will delete the team with ID 1 from the database, no questions asked. ...

    curl -X DELETE "http://website/specific/${i}?password=New%20York"; 
    

    Ouch. I didn't know that.

    So, what you are telling me is: "In Ruby-On-Rails all classes that inherit from GenericControler are open to the general public and have some well-known methods that match well-known HTTP verbs"?

    So that anybody with some knowledge of Ruby-On-Rails can penetration test your website to see if you have been professional enough to make it watertight?

    Ok, you still need the name of the derived classes, but still.

    And this is not considered a WTF in the Rails framework?

  • EvilSnack (unregistered)
    mikeTheLiar:
    What, no ass-crack picture today?
    You say that like it's a bad thing.
  • drake (unregistered)

    Yes because other languages encourages bad practices. We all know programmer skill is based on the language he uses. No bad code in Rails or python, no good code in javascript or C.

  • (cs) in reply to fennec
    fennec:
    Dude:
    Shoreline:
    I don't recognise the language. Regardless, I assume this is part of a kill-switch?

    Could be Ruby

    Definitely Ruby. If you see a hash[:symbol] construct like params[:password] almost definitely Ruby. And the rest of the code shouts Rails (controller with method named destroy calling redirect_to. don't know what the missing space after redirect_to is, but w/e.)

    The method 'destroy' deletes something. In this case, it's deleting whatever the SpecificController controls, which (if the app is following rails conventions) would be "specifics." I'd tell you more but it seems the specifics have already been deleted :P

    Or...it could be a parameter to ADO.Net for MySQL:

    using (var outAttendeeActivity = new MySqlCommand("Insert into AttendeeActivity (Attendee_ID, Event_ID, Activity_nm, Notes_txt)" +
          "VALUES (:Attendee_ID, :Event_ID, :Activity_nm, :Notes_txt)", _connTo))
    {
      outAttendeeActivity.Parameters.Add(":Attendee_ID", MySqlType.BigInt);
      outAttendeeActivity.Parameters.Add(":Event_ID", MySqlType.BigInt);
      outAttendeeActivity.Parameters.Add(":Activity_nm", MySqlType.VarChar, 60);
      outAttendeeActivity.Parameters.Add(":Notes_txt", MySqlType.VarChar, 2000);
      // etc...
    }
    
  • Crash Magnet (unregistered)

    If Ruby is on Rails and tries to delete the train station without the password, would the Gendarmerie try to arrest her?

  • (cs)

    Definitely Ruby (or something nearly identical), but probably not Rails. (For those not familiar with the tools: Ruby is a language, and Rails, often called Ruby On Rails, is a web-app framework written in Ruby. Rails is the most commonly known use of Ruby, but certainly not the only.)

    If it were Rails, it would probably be inheriting from ApplicationController rather than GenericController, and redirecting to 'index' rather than 'list'. People can, but rarely do, use names other than these common ones produced by the generators.

    I'm not personally familiar with the other Ruby web-app frameworks like Sinatra and Padrino, but it could be one of those.

  • (cs)
    They even make you use electronic key cards to access public bicycles
    Huh, how else would you access them?
  • Amakudari (unregistered) in reply to faoileag
    faoileag:
    Matteo Settenvini:
    The problem is that, in Rails, you can get to that controller and call a destroy method by making a HTTP request to:

    http://website/specific/1?password=New%20York

    with the DELETE HTTP verb. That will delete the team with ID 1 from the database, no questions asked. ...

    curl -X DELETE "http://website/specific/${i}?password=New%20York"; 
    

    Ouch. I didn't know that.

    So, what you are telling me is: "In Ruby-On-Rails all classes that inherit from GenericControler are open to the general public and have some well-known methods that match well-known HTTP verbs"?

    So that anybody with some knowledge of Ruby-On-Rails can penetration test your website to see if you have been professional enough to make it watertight?

    Ok, you still need the name of the derived classes, but still.

    And this is not considered a WTF in the Rails framework?

    Well, you'd still need a route to it. And typically you would authenticate the user outside the body of destroy, such as via some method on GenericController. There's no telling whether this is only accessible by admins, etc. In any case, it's not a WTF of Rails.

  • Cidolfas (unregistered)

    It does look like Rails code where someone subclassed ApplicationController (e.g. with some generic behavior for a subsection of the app) and made a page called "list" instead of "index" for whatever reason.

    There is no real WTF in the fact that it's deleting the Team in question; that's exactly what a "destroy" route is supposed to do, although there should be some error checking in there (e.g. if the ID doesn't exist or there's a problem deleting it). The WTF is actually that it won't delete it unless the password matches "New York" for some godawful reason.

  • C-Derb (unregistered)

    A Red Sox fan, perhaps?

  • (cs) in reply to Auction_God
    Auction_God:
    fennec:
    Dude:
    Shoreline:
    I don't recognise the language. Regardless, I assume this is part of a kill-switch?

    Could be Ruby

    Definitely Ruby. If you see a hash[:symbol] construct like params[:password] almost definitely Ruby. And the rest of the code shouts Rails (controller with method named destroy calling redirect_to. don't know what the missing space after redirect_to is, but w/e.)

    The method 'destroy' deletes something. In this case, it's deleting whatever the SpecificController controls, which (if the app is following rails conventions) would be "specifics." I'd tell you more but it seems the specifics have already been deleted :P

    Or...it could be a parameter to ADO.Net for MySQL:

    using (var outAttendeeActivity = new MySqlCommand("Insert into AttendeeActivity (Attendee_ID, Event_ID, Activity_nm, Notes_txt)" +
          "VALUES (:Attendee_ID, :Event_ID, :Activity_nm, :Notes_txt)", _connTo))
    {
      outAttendeeActivity.Parameters.Add(":Attendee_ID", MySqlType.BigInt);
      outAttendeeActivity.Parameters.Add(":Event_ID", MySqlType.BigInt);
      outAttendeeActivity.Parameters.Add(":Activity_nm", MySqlType.VarChar, 60);
      outAttendeeActivity.Parameters.Add(":Notes_txt", MySqlType.VarChar, 2000);
      // etc...
    }
    

    That's ":symbol" still, not :symbol or hash[:symbol].

  • Mike (unregistered)

    Presumably the bicycles are secured to make sure that nobody rides them into the sides of tall buildings?

  • Nochte (unregistered)

    It's rails.

    SpecificController (who names a controller that?) is a subclass of GenericController. Most likely, GenericController implements access control. No major WTF here.

    CAPTA: Plaga. I dunno, what's a plaga you?

  • (cs) in reply to Cidolfas
    Cidolfas:
    It does look like Rails code where someone subclassed ApplicationController (e.g. with some generic behavior for a subsection of the app) and made a page called "list" instead of "index" for whatever reason.

    Using List instead of Index was common in the Rails 1.x days before REST gained popularity and became the norm in Rails 2.x

    Normally in Rails you would have something specifying that you can only post to a destroy method (the common way is to have the Rails code wrap a form around a destroy button).

    Disclaimer: I haven't used Rails in a long time, pretty much before Rails 3, so this is foggy remembering from when I was learning it.

    Assuming that GenericController is a base class that inherits ApplicationController, then it could be the only WTF is comparing a hard-coded password to determine if the delete should be done.

  • (cs) in reply to faoileag
    faoileag:
    So, what you are telling me is: "In Ruby-On-Rails all classes that inherit from GenericControler are open to the general public and have some well-known methods that match well-known HTTP verbs"?

    So that anybody with some knowledge of Ruby-On-Rails can penetration test your website to see if you have been professional enough to make it watertight?

    Ok, you still need the name of the derived classes, but still.

    And this is not considered a WTF in the Rails framework?

    A little off.

    In Ruby on Rails, all routes which are dispatched via the resource-routing conventions in ActionDispatch::Routing to classes which inherit from ActionController::Base (as is presumably the case for GenericController) expose to the framework certain methods such as show, index, new, create, edit, update, and destroy. (e.g. "index" is a list of blog posts, "show" is the actual post, "new" generates a form for a new post, "create" processes that form, "edit" generates a form to edit the post, "update" processes that form, and "destroy" deletes the post). CRUD-in-a-box. You have to write the code that actually does that updating/deleting/etc, it's not free in the framework. (You could in fact write much of it in a generic controller of some sort, but that does not need to be the case here).

    And unless you take action to install authentication and authorization code, then yes, they'll be accessible to everyone. There are popular authentication/authorization middlewares and frameworks, like Devise and CanCan. They work well. A good setup with CanCan helps make it harder to write insecure code than it is to write secure code. (You rely on CanCan in your application's generic controller to load and authorize your objects/collections inside your controllers and deliver them via convenient instance variables, so you don't forget to do any authorization steps unless you go the inconvenient route of loading things yourself.)

    These programmers did install authentication/authorization mechanisms. They're just... not very good ones... relying on plaintext strings...

    But anyway the point is that the things in the controllers are in fact things that you want exposed to your users. There's no WTF about exposing them in a manner consistent with a naming convention.

  • Guran (unregistered) in reply to Crash Magnet
    Crash Magnet:
    If Ruby is on Rails and tries to delete the train station without the password, would the Gendarmerie try to arrest her?
    Ruby, is she the president daughter?
  • Byroot (unregistered)

    This is Ruby on Rails controller code.

    The thing is there is no security hole here because the .equals method do not exist. So all this code will do, is raising an exception before deleting anything.

    Unless the article contain a typo and the original code is params[:password].equal?("New York")

    For the people asking about French police:

    Police Nationale: Regular police paid by the governement, they are in charge of cities of more than ~10/15 thousands inhabitants.

    Police Municipale: Additional Police for little things, paid by the city. They generally do not have a weapon, their mission depends of the mayor.

    Gendarmerie: Military corp (like Air force or Navy) assigned to police missions in the country side and little cities.

    The militaries you see in airports etc, are regular French army soldiers in couter terrorist mission, sometimes with regular cops, sometime not. They do carry an assault riffle, but if you look closely, there is no magazine attached. They are here just for the show.

  • (cs)
    Steve The Cynic:
    The article:
    There are armed military personnel with assault weapons in-hand in heavily travelled areas.
    I live in France, and I pass through a major railway station every working day. Like all significant French railway stations, it features multiple groups of soldiers with assault weapons, and has done since 1992.
    Why do they carry "assault weapons" when the citizens aren't allowed to have them? What is the threat?
    The groups are usually three soldiers and a normal policeman, of the Police Nationale. (The French police are divided into two main groups, the Nationale and the Municipale. As I understand it, the Nationale are responsible for most criminal investigation, while the Municipale are responsible for local stuff like parking and moving traffic violations. There's a certain level of tension between the two groups.)
    Should we allow tense people to have dangerous weapons?
  • AnOldHacker (unregistered)
    ObiWayneKenobi:
    It's Ruby on Rails, and that's what makes this all the more disheartening because Rails is usually done very well and encourages good programming practices, and things like this would be punished by death.

    Probably somebody who picked up Rails for the ease and didn't bother to actually learn much about it.

    TopCod3r is back!

  • Jerry (unregistered)

    I think this is more than a bit tasteless to post this on 9/11, isn't it?

  • Will A (unregistered) in reply to Matteo Settenvini

    Couldn't this then be used by the developer to black mail the company later on?

    Pay me $1,000,000, or I'll delete all your teams.

  • Letatio (unregistered) in reply to Will A
    Will A:
    Couldn't this then be used by the developer to black mail the company later on?

    Pay me $1,000,000, or I'll delete all your teams.

    There are a couple of teams around here, I might pay $1,000,000 to have eliminated

  • (cs) in reply to AnOldHacker
    AnOldHacker:
    ObiWayneKenobi:
    It's Ruby on Rails, and that's what makes this all the more disheartening because Rails is usually done very well and encourages good programming practices, and things like this would be punished by death.

    Probably somebody who picked up Rails for the ease and didn't bother to actually learn much about it.

    TopCod3r is back!

    Don't insult me ever again by comparing me to that troll. Seriously, Rails is usually pretty well written because following the conventions make it more difficult to write bad code.

    This is not one of those cases.

  • XYZ (unregistered) in reply to DaveAronson

    A lot of people will define a subclass of ActionController with all the extra bells and whistles they want in every controller, and subclass their concrete controllers off of that. That's what I think this GenericController is. It certainly reads like Rails to me.

  • Tilendor (unregistered) in reply to DaveAronson

    This could be completely valid Rails code. The Generic Controller could inherit from the ApplicationController, and while not 'convention' there is nothing stopping anyone from writing a list action, I have in the past.

  • (cs) in reply to anonymous235
    anonymous235:
    They even make you use electronic key cards to access public bicycles
    Huh, how else would you access them?
    Bolt cutters.
  • (cs) in reply to Marvin the Martian
    Marvin the Martian:
    Holland
    TRWTF is being so detailed in your explanation of types of police, and then adding the above in a list of countries.
  • Yale (unregistered) in reply to DaveAronson
    DaveAronson:
    Definitely Ruby (or something nearly identical), but probably not Rails. (For those not familiar with the tools: Ruby is a language, and Rails, often called Ruby On Rails, is a web-app framework written in Ruby. Rails is the most commonly known use of Ruby, but certainly not the only.)

    If it were Rails, it would probably be inheriting from ApplicationController rather than GenericController, and redirecting to 'index' rather than 'list'. People can, but rarely do, use names other than these common ones produced by the generators.

    I'm not personally familiar with the other Ruby web-app frameworks like Sinatra and Padrino, but it could be one of those.

    No, it's definitely Rails. The controller name might have been changed for the example for some reason, or GenericController might be a subclass of ApplicationController with some additional functionality added in. That's certainly not unheard of. As for the redirect, most likely 'list' is just a customized view separate from 'index'.

    As for the WTF, it's not necessarily that bad. If the method isn't responsible for anything defined in the routes.rb file, it can never be called by a user via the web interface. It might have been some code left over from development or testing that was disabled by simply removing the route. Less than entirely good, but not really a security risk in that case.

  • (cs)

    I had a similar case recently. I subscribe to article notification for some trade on-line publications. I accidentally clicked on the unsubscribe link in one E-mail. I was taken to a Web page that stated that I was unsubscribed. There was no confirmation at all.

    To add to the mess, there was no address to E-mail to about this. I ended up sending an E-mail to the editor to get the matter dealt with.

    Sincerely,

    Gene Wirchenko

  • rofl xD (unregistered)

    ha ha mods on 100% full assmad status now.

    ud beter fix ur shit b4 tomorrow cuz its just gonna keep happening.

  • (cs)

    Wow, using 9/11 to push your article, and the content isn't even mildly interesting. Fantastic writing here.

  • (cs)

    Thank you moderators.

  • (cs) in reply to Kivi
    Kivi:
    Thank you moderators.
    Don't thank them too much, they're even deleting the posts making fun of this idiot. Which ultimately, is the only thing he's good for in this life.
  • Tom (unregistered)

    Wouldn't you prefer a nice game of chess ?

  • (cs) in reply to DaveAronson
    DaveAronson:
    Definitely Ruby (or something nearly identical), but probably not Rails. (For those not familiar with the tools: Ruby is a language, and Rails, often called Ruby On Rails, is a web-app framework written in Ruby. Rails is the most commonly known use of Ruby, but certainly not the only.)

    If it were Rails, it would probably be inheriting from ApplicationController rather than GenericController, and redirecting to 'index' rather than 'list'. People can, but rarely do, use names other than these common ones produced by the generators.

    I'm not personally familiar with the other Ruby web-app frameworks like Sinatra and Padrino, but it could be one of those.

    NO. Not Sinatra. Not Padrino. I have to work with those two POS frameworks daily and they look NOTHING LIKE THIS. (Okay, they're not POSes, they're actually quite good at what they're for, which ISN'T structured programming involving sane code reuse paradigms on a large project doing the same CRUD operations on a dozen or more models, and the way we're using them is actually the real WTF.) Sinatra codebases are all about blocks of

    get '/path/spec/:parameter' do 
       # code here
       # self is an instance of the application's Sinatra::Base subclass
       # and has all the methods for communicating with the browser on it
       # and for rendering templates with instance variables on the object and things like that
       # (which makes it awkward to perform code reuse that controls browser-aware operations from OO-aware code)
       status 418
       return "this is the string your application will render!"
    end
    

    and the class isn't called a controller, and the class definitely doesn't inherit from another controller (more like Sinatra::Base). Padrino has some more tools to organize related routes, but its style is largely similar

    Definitely Rails. And if they were smart enough to hardcode passwords they can be smart enough to redirect to a 'list' operation instead of using sane conventions.

  • noaunda (unregistered) in reply to operagost
    operagost:
    Why do they carry "assault weapons" when the citizens aren't allowed to have them? What is the threat?
    You might not be aware but France has an history of terrorist attacks, especially in 1986. In 1995, a bombing destroyed a metro station, killing 8 and injuring 117, in the heart of Paris. Since then, army patrols in public areas, trash bins have been replaced by transparent bags, it is impossible to hide a bag under your siege in the metro or trains, you cannot park in front of public places (such as schools etc...). Terrorist attacks are considered as a permanent threat in France.
  • (cs)

    Actually, western Europe has quite a history with terrorism, particularly in the seventies and eighties. But in the past 20 years, there has been plenty as well, such as the aforementioned RER and Métro attacks in Paris, the train bombings in Madrid and the 7/7 attacks in London.

    I'm not aware of what was happening in the USA at the time, apart from a lot of aeroplane hijacks in the sixties, but with Germany's Red Army Faction and Italy's Red Brigades as the most prominent examples, there were a LOT of attacks. An infamous example from that period is the Bologna massacre, where neo-fascists (as if the left-wing terrorists weren't enough) bombed a railway station.

    This is why heavily armed police and military are a familiar sight in certain European countries.

  • (cs) in reply to operagost
    operagost:
    Why do they carry "assault weapons" when the citizens aren't allowed to have them? What is the threat?
    Isn't that like asking why traffic cops carry "radar guns" when the citizens aren't allowed to speed?

    On the topic of heavily armed airport security, I flew through Frankfurt in late 2000. At that time, they had pairs of military looking guys patrolling the airport (don't know if they were police, army, or what have you, but recall they wore military-style fatigues). I recall that they had one sub-machine per pair, and wondered how they chose who got to/had to carry the big gun and who had to make due with just a sidearm.

  • CK (unregistered) in reply to DaveAronson

    No, that's Rails, Sinatra doesn't really have object oriented controllers, and Padrino is an extension thereof.

    What they're probably doing is creating a GenericController that subclasses ApplicaitionController, and adding common app-specific functionality. It's a pretty common pattern in Rails. The actual logic is non-conventional, but potentially reasonable in context.

    Of course, the WTF is very real. Hardcoded pwd, no parameter sanitization, etc. We can't assume from this snippet that there is absolutely no auth in a before filter somewhere, but there's plenty wrong with it.

  • ForFoxSake (unregistered)

    I won't ask why there is a space between New & York because some idiot will say it "will" match and that won't be my point.

Leave a comment on “The Key to the City”

Log In or post as a guest

Replying to comment #:

« Return to Article