Who maintains ruby-talk?
in [Ruby]
|
Prev: how can i add tones to my pc's sound card
Next: Undefined method `ire' with rubygems on mswin32
From: Walton Hoops on 15 Apr 2010 12:50 On 4/15/2010 12:00 AM, Tony Arcieri wrote: > On Wed, Apr 14, 2010 at 11:54 PM, Tony Arcieri <tony.arcieri(a)medioh.com>wrote: > > >> And, oh by the way, as I referenced in the OP, the MLM is subject to some >> pretty ridiculous security vulnerabilities. Anyone can unsubscribe anyone >> from ruby-talk, so long as the read it via e-mail. That's silly. >> >> > And as I realize code speaks louder than words, here you go. Here's some > Ruby code to unsubscribe someone from ruby-talk without their permission. > This particular snippet is set up to unsubscribe thunk from ruby-talk. > Feel free to modify it to unsubscribe whoever you like: > > http://gist.github.com/365142 > > I send you this only to point out that ruby-talk is very much insecure, > especially for anyone who reads it via email. > > Actually, all that will do is cause the user to get a confirmation e-mail asking if they really want to unsubscribe. I suppose it could lead to some annoying spam, but I hardly think it's a critical security bug.
From: Tony Arcieri on 15 Apr 2010 12:57 [Note: parts of this message were removed to make it a legal post.] On Thu, Apr 15, 2010 at 10:50 AM, Walton Hoops <walton(a)vyper.hopto.org>wrote: > Actually, all that will do is cause the user to get a confirmation > e-mail asking if they really want to unsubscribe. I suppose it could > lead to some annoying spam, but I hardly think it's a critical security > bug. > That's what a secure MLM would do. The ruby-talk one does not. If you don't believe me I can run it against your email address. -- Tony Arcieri Medioh! A Kudelski Brand
From: Walton Hoops on 15 Apr 2010 13:27 On 4/15/2010 10:57 AM, Tony Arcieri wrote: > On Thu, Apr 15, 2010 at 10:50 AM, Walton Hoops <walton(a)vyper.hopto.org>wrote: > > >> Actually, all that will do is cause the user to get a confirmation >> e-mail asking if they really want to unsubscribe. I suppose it could >> lead to some annoying spam, but I hardly think it's a critical security >> bug. >> >> > That's what a secure MLM would do. The ruby-talk one does not. If you > don't believe me I can run it against your email address. > > Go ahead, I already did.
From: Walton Hoops on 15 Apr 2010 13:54 On 4/15/2010 11:27 AM, Walton Hoops wrote: > On 4/15/2010 10:57 AM, Tony Arcieri wrote: > >> On Thu, Apr 15, 2010 at 10:50 AM, Walton Hoops <walton(a)vyper.hopto.org>wrote: >> >> >> >>> Actually, all that will do is cause the user to get a confirmation >>> e-mail asking if they really want to unsubscribe. I suppose it could >>> lead to some annoying spam, but I hardly think it's a critical security >>> bug. >>> >>> >>> >> That's what a secure MLM would do. The ruby-talk one does not. If you >> don't believe me I can run it against your email address. >> >> >> > Go ahead, I already did. > > Hmm... just a moment ago I got this e-mail: On 4/15/2010 11:50 AM, ruby-talk-admin(a)ruby-lang.org wrote: > unsubscribe > > unsubscribe-confirm 2010041602504610836465093473 walton vyper.hopto.org > > Please reply this mail to confirm your unsubscribe request > and send this to ruby-talk-ctl(a)ruby-lang.org > If confirmed, you are removed from MAILING LIST <ruby-talk(a)ruby-lang.org>. > > --ruby-talk(a)ruby-lang.org, Be Seeing You! > > ************************************************************ > > Help: <mailto:ruby-talk-ctl(a)ruby-lang.org?body=help> > Unsubscribe: <mailto:ruby-talk-ctl(a)ruby-lang.org?body=unsubscribe> > > If you have any questions or problems, > please contact ruby-talk-admin(a)ruby-lang.org > or > send e-mail with the body "help"(without quotes) to > ruby-talk-ctl(a)ruby-lang.org > (here is the automatic reply, so more preferable) > > e.g. on a Unix Machine > (shell prompt)% echo "help" |Mail ruby-talk-ctl(a)ruby-lang.org > > ************************************************************ > > I wonder how that could have happened ;-)
From: Tony Arcieri on 15 Apr 2010 13:57
[Note: parts of this message were removed to make it a legal post.] Strange... when I do it to myself it unsubscribes me with no confirmation. On Thu, Apr 15, 2010 at 11:54 AM, Walton Hoops <walton(a)vyper.hopto.org>wrote: > On 4/15/2010 11:27 AM, Walton Hoops wrote: > > On 4/15/2010 10:57 AM, Tony Arcieri wrote: > > > >> On Thu, Apr 15, 2010 at 10:50 AM, Walton Hoops <walton(a)vyper.hopto.org > >wrote: > >> > >> > >> > >>> Actually, all that will do is cause the user to get a confirmation > >>> e-mail asking if they really want to unsubscribe. I suppose it could > >>> lead to some annoying spam, but I hardly think it's a critical security > >>> bug. > >>> > >>> > >>> > >> That's what a secure MLM would do. The ruby-talk one does not. If you > >> don't believe me I can run it against your email address. > >> > >> > >> > > Go ahead, I already did. > > > > > Hmm... just a moment ago I got this e-mail: > > On 4/15/2010 11:50 AM, ruby-talk-admin(a)ruby-lang.org wrote: > > unsubscribe > > > > unsubscribe-confirm 2010041602504610836465093473 walton vyper.hopto.org > > > > Please reply this mail to confirm your unsubscribe request > > and send this to ruby-talk-ctl(a)ruby-lang.org > > If confirmed, you are removed from MAILING LIST <ruby-talk(a)ruby-lang.org > >. > > > > --ruby-talk(a)ruby-lang.org, Be Seeing You! > > > > ************************************************************ > > > > Help: <mailto:ruby-talk-ctl(a)ruby-lang.org?body=help> > > Unsubscribe: <mailto:ruby-talk-ctl(a)ruby-lang.org?body=unsubscribe> > > > > If you have any questions or problems, > > please contact ruby-talk-admin(a)ruby-lang.org > > or > > send e-mail with the body "help"(without quotes) to > > ruby-talk-ctl(a)ruby-lang.org > > (here is the automatic reply, so more preferable) > > > > e.g. on a Unix Machine > > (shell prompt)% echo "help" |Mail ruby-talk-ctl(a)ruby-lang.org > > > > ************************************************************ > > > > > I wonder how that could have happened ;-) > > -- Tony Arcieri Medioh! A Kudelski Brand |