- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Just a curiosity: what is the Gendarmerie for? In the past I've spent quite some time in France, but I couldn't figure out the difference between these three.
Admin
Citibike isn't a card, it's more of a key-fob.
And you don't need the electronic card, that's just the convenience way so that you can skip the line to use your credit card at the stupid kiosk and get the bike directly.
Admin
Yes, gendarmes are MPs.
"Gen" can be translated to people and "arme" to weapon. So gendarme are "people of weapon"...
That said, the gentlemen with assault weapons patrolling the French railway stations look more like people from the Légion Etrangère (Foreign Legion). I am pretty sure I have heard them talk to each other in a language other than French.
Admin
Definitely Ruby. If you see a hash[:symbol] construct like params[:password] almost definitely Ruby. And the rest of the code shouts Rails (controller with method named destroy calling redirect_to. don't know what the missing space after redirect_to is, but w/e.)
The method 'destroy' deletes something. In this case, it's deleting whatever the SpecificController controls, which (if the app is following rails conventions) would be "specifics." I'd tell you more but it seems the specifics have already been deleted :P
Admin
I also remember walking in Paris in 1989 with a friend of mine, and as it happened, there was a G7 summit. A certain road, where the important people would pass, was lined with policemen (or gendarmes, can't remember) every 10 metres. All of them carrying SMGs, and every single one of them looking me in the eye. It was somewhat discomforting.
Also, in Paris (and France in general), you'll notice that there are no rubbish bins - only transparent plastic bags.
Admin
Where's the WTF in the Article? Ok, someone specifies a class that does something when a submitted password matches a hardcoded one.
Is that class ever instantiated or the base class of an instantiated class? No: -> no WTF
Yes: ok, it gets instantiated. Is the method "destroy" ever called? No: -> no WTF
Ok, so it gets called. If the parameter "password" matches "NewYork", the element in Team that is identified by the parameter "id" has its "destroy" method called.
This looks like some backdoor for debugging purposes and should perhaps be removed from production code, but a WTF? A minor one maybe but nothing as grand as the DST one on monday.
Admin
The whole police structure is different from what's been said up to now: The Gendarmerie is not the National Police.
1/ Municipal police: works from villages to towns and smaller cities. Have territorial boundaries (cannot pursue/have authority across those). Keep order, so traffic and minor disputes; reports to the mayor. 1b/ Rural policemen ('champetres'). Game warden, forester, keeps the peace. Technically military (gendarme), reports to the mayor.
2/ National police (used to be called National security): Does all investigative work (crimes from assault to terrorism), riot control (=CRS), identity checks, personal protection, patrol and response (with authority over all the country, so pursuits:), motorway and mountain police, ...
3/ Gendarme: Branch of the military under the ministry of the interior (not defense!). Contains SWAT-style special forces and Military Police of course, but bulk is national security and public safety. They also do riot control and public patrolling of international gateways (airports, stations), and some investigative work under the judiciary.
So it's clear where the tension/overlap would cause problems between services.
Many european 'police' forces are similarly structured; 'gendarmerie' would be 'carabinieri', 'marechaussee', 'rijkswacht/gendarmerie', 'guardia civil' in Italy, Holland, Belgium and Spain respectively.
Admin
More than a little tacky to post this today.
A hardcoded password? Really? That's the best that the DailyWTF has to offer?
Admin
The problem is that, in Rails, you can get to that controller and call a destroy method by making a HTTP request to:
http://website/specific/1?password=New%20York
with the DELETE HTTP verb. That will delete the team with ID 1 from the database, no questions asked.
Which is something you can easily do from e.g. curl. If you want to remove all teams (which probably have some DELETE ON CASCADE constraints to all linked entities), a for loop suffices:
for i in `seq 1 1000`; do curl -X DELETE "http://website/specific/${i}?password=New%20York"; doneHave fun. Not a major WTF (you need to know the clear-text password), but surely not something you want in production. In Rails, you should rely on something like Devise to provide the authentication layer, and avoid such nonsense.
Admin
(*) Yes, yes, I know, the Légion Etrangère is an elite force, but it is neither "special forces" nor part of the police.
Admin
Ouch. I didn't know that.
So, what you are telling me is: "In Ruby-On-Rails all classes that inherit from GenericControler are open to the general public and have some well-known methods that match well-known HTTP verbs"?
So that anybody with some knowledge of Ruby-On-Rails can penetration test your website to see if you have been professional enough to make it watertight?
Ok, you still need the name of the derived classes, but still.
And this is not considered a WTF in the Rails framework?
Admin
Admin
Yes because other languages encourages bad practices. We all know programmer skill is based on the language he uses. No bad code in Rails or python, no good code in javascript or C.
Admin
using (var outAttendeeActivity = new MySqlCommand("Insert into AttendeeActivity (Attendee_ID, Event_ID, Activity_nm, Notes_txt)" + "VALUES (:Attendee_ID, :Event_ID, :Activity_nm, :Notes_txt)", _connTo)) { outAttendeeActivity.Parameters.Add(":Attendee_ID", MySqlType.BigInt); outAttendeeActivity.Parameters.Add(":Event_ID", MySqlType.BigInt); outAttendeeActivity.Parameters.Add(":Activity_nm", MySqlType.VarChar, 60); outAttendeeActivity.Parameters.Add(":Notes_txt", MySqlType.VarChar, 2000); // etc... }Admin
If Ruby is on Rails and tries to delete the train station without the password, would the Gendarmerie try to arrest her?
Admin
Definitely Ruby (or something nearly identical), but probably not Rails. (For those not familiar with the tools: Ruby is a language, and Rails, often called Ruby On Rails, is a web-app framework written in Ruby. Rails is the most commonly known use of Ruby, but certainly not the only.)
If it were Rails, it would probably be inheriting from ApplicationController rather than GenericController, and redirecting to 'index' rather than 'list'. People can, but rarely do, use names other than these common ones produced by the generators.
I'm not personally familiar with the other Ruby web-app frameworks like Sinatra and Padrino, but it could be one of those.
Admin
Admin
Well, you'd still need a route to it. And typically you would authenticate the user outside the body of destroy, such as via some method on GenericController. There's no telling whether this is only accessible by admins, etc. In any case, it's not a WTF of Rails.
Admin
It does look like Rails code where someone subclassed ApplicationController (e.g. with some generic behavior for a subsection of the app) and made a page called "list" instead of "index" for whatever reason.
There is no real WTF in the fact that it's deleting the Team in question; that's exactly what a "destroy" route is supposed to do, although there should be some error checking in there (e.g. if the ID doesn't exist or there's a problem deleting it). The WTF is actually that it won't delete it unless the password matches "New York" for some godawful reason.
Admin
A Red Sox fan, perhaps?
Admin
That's ":symbol" still, not :symbol or hash[:symbol].
Admin
Presumably the bicycles are secured to make sure that nobody rides them into the sides of tall buildings?
Admin
It's rails.
SpecificController (who names a controller that?) is a subclass of GenericController. Most likely, GenericController implements access control. No major WTF here.
CAPTA: Plaga. I dunno, what's a plaga you?
Admin
Using List instead of Index was common in the Rails 1.x days before REST gained popularity and became the norm in Rails 2.x
Normally in Rails you would have something specifying that you can only post to a destroy method (the common way is to have the Rails code wrap a form around a destroy button).
Disclaimer: I haven't used Rails in a long time, pretty much before Rails 3, so this is foggy remembering from when I was learning it.
Assuming that GenericController is a base class that inherits ApplicationController, then it could be the only WTF is comparing a hard-coded password to determine if the delete should be done.
Admin
A little off.
In Ruby on Rails, all routes which are dispatched via the resource-routing conventions in ActionDispatch::Routing to classes which inherit from ActionController::Base (as is presumably the case for GenericController) expose to the framework certain methods such as show, index, new, create, edit, update, and destroy. (e.g. "index" is a list of blog posts, "show" is the actual post, "new" generates a form for a new post, "create" processes that form, "edit" generates a form to edit the post, "update" processes that form, and "destroy" deletes the post). CRUD-in-a-box. You have to write the code that actually does that updating/deleting/etc, it's not free in the framework. (You could in fact write much of it in a generic controller of some sort, but that does not need to be the case here).
And unless you take action to install authentication and authorization code, then yes, they'll be accessible to everyone. There are popular authentication/authorization middlewares and frameworks, like Devise and CanCan. They work well. A good setup with CanCan helps make it harder to write insecure code than it is to write secure code. (You rely on CanCan in your application's generic controller to load and authorize your objects/collections inside your controllers and deliver them via convenient instance variables, so you don't forget to do any authorization steps unless you go the inconvenient route of loading things yourself.)
These programmers did install authentication/authorization mechanisms. They're just... not very good ones... relying on plaintext strings...
But anyway the point is that the things in the controllers are in fact things that you want exposed to your users. There's no WTF about exposing them in a manner consistent with a naming convention.
Admin
Admin
This is Ruby on Rails controller code.
The thing is there is no security hole here because the .equals method do not exist. So all this code will do, is raising an exception before deleting anything.
Unless the article contain a typo and the original code is params[:password].equal?("New York")
For the people asking about French police:
Police Nationale: Regular police paid by the governement, they are in charge of cities of more than ~10/15 thousands inhabitants.
Police Municipale: Additional Police for little things, paid by the city. They generally do not have a weapon, their mission depends of the mayor.
Gendarmerie: Military corp (like Air force or Navy) assigned to police missions in the country side and little cities.
The militaries you see in airports etc, are regular French army soldiers in couter terrorist mission, sometimes with regular cops, sometime not. They do carry an assault riffle, but if you look closely, there is no magazine attached. They are here just for the show.
Admin
Admin
TopCod3r is back!
Admin
I think this is more than a bit tasteless to post this on 9/11, isn't it?
Admin
Couldn't this then be used by the developer to black mail the company later on?
Pay me $1,000,000, or I'll delete all your teams.
Admin
There are a couple of teams around here, I might pay $1,000,000 to have eliminated
Admin
Don't insult me ever again by comparing me to that troll. Seriously, Rails is usually pretty well written because following the conventions make it more difficult to write bad code.
This is not one of those cases.
Admin
A lot of people will define a subclass of ActionController with all the extra bells and whistles they want in every controller, and subclass their concrete controllers off of that. That's what I think this GenericController is. It certainly reads like Rails to me.
Admin
This could be completely valid Rails code. The Generic Controller could inherit from the ApplicationController, and while not 'convention' there is nothing stopping anyone from writing a list action, I have in the past.
Admin
Admin
Admin
No, it's definitely Rails. The controller name might have been changed for the example for some reason, or GenericController might be a subclass of ApplicationController with some additional functionality added in. That's certainly not unheard of. As for the redirect, most likely 'list' is just a customized view separate from 'index'.
As for the WTF, it's not necessarily that bad. If the method isn't responsible for anything defined in the routes.rb file, it can never be called by a user via the web interface. It might have been some code left over from development or testing that was disabled by simply removing the route. Less than entirely good, but not really a security risk in that case.
Admin
I had a similar case recently. I subscribe to article notification for some trade on-line publications. I accidentally clicked on the unsubscribe link in one E-mail. I was taken to a Web page that stated that I was unsubscribed. There was no confirmation at all.
To add to the mess, there was no address to E-mail to about this. I ended up sending an E-mail to the editor to get the matter dealt with.
Sincerely,
Gene Wirchenko
Admin
ha ha mods on 100% full assmad status now.
ud beter fix ur shit b4 tomorrow cuz its just gonna keep happening.
Admin
Wow, using 9/11 to push your article, and the content isn't even mildly interesting. Fantastic writing here.
Admin
Thank you moderators.
Admin
Admin
Wouldn't you prefer a nice game of chess ?
Admin
and the class isn't called a controller, and the class definitely doesn't inherit from another controller (more like Sinatra::Base). Padrino has some more tools to organize related routes, but its style is largely similar
Definitely Rails. And if they were smart enough to hardcode passwords they can be smart enough to redirect to a 'list' operation instead of using sane conventions.
Admin
Admin
Actually, western Europe has quite a history with terrorism, particularly in the seventies and eighties. But in the past 20 years, there has been plenty as well, such as the aforementioned RER and Métro attacks in Paris, the train bombings in Madrid and the 7/7 attacks in London.
I'm not aware of what was happening in the USA at the time, apart from a lot of aeroplane hijacks in the sixties, but with Germany's Red Army Faction and Italy's Red Brigades as the most prominent examples, there were a LOT of attacks. An infamous example from that period is the Bologna massacre, where neo-fascists (as if the left-wing terrorists weren't enough) bombed a railway station.
This is why heavily armed police and military are a familiar sight in certain European countries.
Admin
On the topic of heavily armed airport security, I flew through Frankfurt in late 2000. At that time, they had pairs of military looking guys patrolling the airport (don't know if they were police, army, or what have you, but recall they wore military-style fatigues). I recall that they had one sub-machine per pair, and wondered how they chose who got to/had to carry the big gun and who had to make due with just a sidearm.
Admin
No, that's Rails, Sinatra doesn't really have object oriented controllers, and Padrino is an extension thereof.
What they're probably doing is creating a GenericController that subclasses ApplicaitionController, and adding common app-specific functionality. It's a pretty common pattern in Rails. The actual logic is non-conventional, but potentially reasonable in context.
Of course, the WTF is very real. Hardcoded pwd, no parameter sanitization, etc. We can't assume from this snippet that there is absolutely no auth in a before filter somewhere, but there's plenty wrong with it.
Admin
I won't ask why there is a space between New & York because some idiot will say it "will" match and that won't be my point.