We try to keep our books accurate, but sometimes mistakes creep
in. This page lists the errors submitted by our astute readers.
If you've found a new error, please
submit it.
The latest version of the book is P1.0,
released over 3 years ago.
If you've bought a PDF of the book and would like to upgrade
it to this version (for free), visit your
home page.
| PDF |
Paper |
Description |
Found in |
Fixed in |
| birtleneum |
birtleneum |
#45164: back investigate developed--birtleneum
|
P1.0
28-Sep-10
|
|
| austenhutc |
austenhutc |
#45165: available disputed benefits sea--austenhutc
|
P1.0
28-Sep-10
|
|
| faerwaldsh |
faerwaldsh |
#44971: science live details lime--faerwaldsh
|
B5.0
10-Sep-10
|
|
| walbylenno |
walbylenno |
#44972: glacier evaporation down developed--walbylenno
|
B5.0
10-Sep-10
|
|
| 19 |
|
#41620: The second-to-last bullet point reads "Writing code that fails close". It should likely read "Writing code that fails closed".--Phillip Calvin
|
B5.0
24-Nov-09
|
|
|
21 |
#46476: para 2: the URL .../profile/new should be .../users/new--Allan Kinnaird
|
P1.0
25-Feb-11
|
|
|
21 |
#46479: para 2: "Click the Tamper button in the dialog box, as shown in Figure 2.6" should read "Click the Tamper button to bring up the dialog box shown in Figure 2.6" (The dialog box with the Tamper button is not shown in fig 2.6!)--Allan Kinnaird #46479: para 2: "Click the Tamper button in the dialog box, as shown in Figure 2.6" should read "Click the Tamper button to bring up the dialog box sh ...more... |
P1.0
25-Feb-11
|
|
|
21 |
#46480: para 3: "Control-click the column" should read "Control-click the Post Parameter column"--Allan Kinnaird
|
P1.0
25-Feb-11
|
|
|
21... |
#46494: Example code download: The Partial lunchedin_broken/app/views/tags/cloud.html.erb needs to be renamed .../_cloud.html.erb (and 14 other instances of the file.)--Allan Kinnaird #46494: Example code download: The Partial lunchedin_broken/app/views/tags/cloud.html.erb needs to be renamed .../_cloud.html.erb (and 14 other instan ...more... |
P1.0
28-Feb-11
|
|
|
21... |
#46495: The migration 007_create_tags_venues should be modified to read:
...create_table :tags_venues, :id => false do |t|...
to prevent the creation of a primary key in the link table tags_venues. This may not be a problem if using MySQL as in the text, but SQLite3 creates a primary key by default. (Because of the problems with the mysql gem in Rails 3, readers may be using SQLite3)--Allan Kinnaird #46495: The migration 007_create_tags_venues should be modified to read:
...create_table :tags_venues, :id => false do |t|...
to prevent the creati ...more... |
P1.0
28-Feb-11
|
|
|
32... |
#46496: The XSS exploits in section 2.6 appear not to work in Rails 3.0.5 and Firefox 3.6.13 (Hooray?)--Allan Kinnaird
|
P1.0
01-Mar-11
|
|
| 39 |
|
#41766: On SQL injection on the statement page 39
SELECT * FROM users WHERE (username = 'wally' AND password = 'fakepass' or 'a' = 'a') LIMIT 1
will match all users, not Wally. Because of that the actual logged user will be Bob (id=1). To produce the commented result the statement had to be due to operators precedence as the following:
SELECT * FROM users WHERE (username = 'wally' AND (password = 'fakepass' or 'a' = 'a')) LIMIT 1
As it complicate more the code you can change the password to
fakepass' or id = '3
or
fakepass' or username = 'wally--Fabio Henrique Mazarotto #41766: On SQL injection on the statement page 39
SELECT * FROM users WHERE (username = 'wally' AND password = 'fakepass' or 'a' = 'a') LIMIT 1
...more... |
P1.0
09-Dec-09
|
|
| 61 |
|
#41980: These anti-xss whitelists don't cover unicode character sets, which are required for name and address entry in international applications.
A current book should really cover whitelisting non-English alphabets, or at least make a suggestion. #41980: These anti-xss whitelists don't cover unicode character sets, which are required for name and address entry in international applications.
...more... |
P1.0
02-Jan-10
|
|
| 116 |
|
#43566: The LDAP authentic?() method on page 116 hard-codes all the values that should be read from the LDAP_CONF, as done on the next page.--Seth Arnold
|
P1.0
05-Jun-10
|
|
| 135 |
|
#43567: The description of MAC versus DAC authorization is entirely wrong. :)
Discretionary access control is when object owners are allowed to specify which other users in the system may use the objects, and with which permissions. Standard Unix, extended Unix ACLs, Windows ACLs, etc., are all discretionary because the file or directory owner can choose which users or groups to grant read/write/execute (or delete/etc, for the fancier types).
It is discretionary because it is at the discretion of the owner.
Mandatory access control is when object owners do NOT have complete control over the allowed users and privileges of their objects. The security administrator decides what privileges may be granted and to whom. Users may also have some discretionary access control privileges, but they are subservient to the mandatory access control privileges.
MAC is mandatory, because users cannot modify the privileges themselves. MAC does not have to be implemented with labels -- the Common Criteria LSPP protection profile requires labels, but it is by no means universally accepted. MAC can also be implemented in part by standard filesystem services, such as Samba, which can be configured to export some shares read-only, or apply its own per-group or per-user access controls in addition to whatever DAC ACLs might also exist on files in the filesystem.--Seth Arnold #43567: The description of MAC versus DAC authorization is entirely wrong. :)
Discretionary access control is when object owners are allowed to spe ...more... |
P1.0
05-Jun-10
|
|
| 138 |
|
#41740: I think some explanation and a figure have disapeared from the end of p.138 / begining of p.139:
Figure 7.5 does not show that Bob is denied access to the site. It however illustrates the last paragraph of p.138 (Joe's Friends group), but for the Figure 7.5 to be correct, the text should also tell us that Bob is member of this group.--Frederic BLANC #41740: I think some explanation and a figure have disapeared from the end of p.138 / begining of p.139:
Figure 7.5 does not show that Bob is denie ...more... |
B5.0
07-Dec-09
|
|
| 151 |
|
#43571: "We can do this by providing something functionality along these lines..."
s/something functionality/something functionally/--Seth Arnold
|
P1.0
05-Jun-10
|
|
| 159 |
|
#43569: I think the description of symmetric versus asymmetric cryptography could use some extra exposition. Instead of:
For the purposes of the book, we can divide cryptography into two main
groups: symmetric and asymmetric. Each group has its own strengths and
weaknesses, and neither group is always better than the other.
I suggest something more like:
For the purposes of the book, we can divide cryptography into two main
groups: symmetric and asymmetric. Because each group has its own
strengths and weaknesses, it is important to know how each is used
before deploying an application that relies on cryptography.
Asymmetric ciphers are normally used for key distribution and digital
signatures. Asymmetric ciphers are never used to encrypt messages
directly; instead, messages are encrypted with a random session key
using a symmetric cipher, and the session key is encrypted to a specific
public key. Only the holder of the private key can recover the session
key, and the message can only be recovered with the session key. When
used with digital signature schemes, an asymmetric cipher signs
a digest of the message using a private key; any one with the public key
can validate that the message digest was signed with the private key,
and thus know the message was signed by the private key.
Symmetric ciphers are used either when key distribution happens out of
band, over time (storage and retrieval from encrypted data bases), or
when keys can be negotiated using asymmetric ciphers.
The general gist is that the text doesn't make clear that asymmetric ciphers are suitable only for very specific purposes, such as key distribution and signing message digests. The examples later in the text showing human-readable messages being encrypted directly using RSA are fine as examples go, but _please_ annotate the examples to clearly indicate that real applications do not sign or encrypt messages directly with RSA.--Seth Arnold #43569: I think the description of symmetric versus asymmetric cryptography could use some extra exposition. Instead of:
For the purposes of the bo ...more... |
P1.0
05-Jun-10
|
|
|
161 |
#41762: Text:
Key distribution is not required as the same application decrypts and decrypts information.
Should read:
Key distribution is not required as the same application encrypts and decrypts information.--Dave Grijalva #41762: Text:
Key distribution is not required as the same application decrypts and decrypts information.
Should read:
Key distribution is not re ...more... |
P1.0
09-Dec-09
|
|
|
164 |
#41763: Text:
Let’s add a security question to LunchedIn to help us authenticate a user that has managed to loose their password.
"loose" should be "lose"--Dave Grijalva
|
P1.0
09-Dec-09
|
|
| 165 |
|
#43570: "That said, both RSA and DSA serve as excellent starting points for encryption."
DSA cannot be used with encryption. (DSA was selected to become the US Government's digital signature standard because it can only be used for signature creation/validation, thus it could be easily exported from the United States. Because RSA could also be used for encryption, it was classified as a munition, and could only exported with a huge amount of paperwork.)--Seth Arnold #43570: "That said, both RSA and DSA serve as excellent starting points for encryption."
DSA cannot be used with encryption. (DSA was selected to b ...more... |
P1.0
05-Jun-10
|
|
| 172 |
|
#43568: Something about the voice of the introductory paragraph of section 9.1 struck me as aimed at the entirely wrong audience:
"As a resident of the World Wide Web, you've probably heard about digital signatures. Digital signatures are crypto-systems built using message digests and asymmetric cryptography.Crypto-system is just a fancy way of describing a collection of cryptography techniques used"
Ignore the missing space, I think the whole thing needs to be re-written. :) The book is _already_ being read by people already interested in security, and can probably guess what 'crypto-system' means without being told that it is fancy in any way :) and mostly just want to know: (a) x509 vs openPGP? (b) does anyone actually _use_ these mechanisms? with which MUAs?
Please take this as it is meant, with kindness. :) This book is really good, but this paragraph rubbed me the wrong way. It's not a blog post "so what's all this digital signature stuff?" aimed at the Internet in general, but rather 170 pages into a Pragmatic Programmers book on how to program Rails securely. :)--Seth Arnold #43568: Something about the voice of the introductory paragraph of section 9.1 struck me as aimed at the entirely wrong audience:
"As a resident of ...more... |
P1.0
05-Jun-10
|
|
| 180 |
|
#42054: In figure 9.4, the CSR mays not include "the public key of the certificate authority email_ca.cer" as it is written. At this time, the csr has nothing to do with the CA.
Cheers--Alexandre FRIQUET #42054: In figure 9.4, the CSR mays not include "the public key of the certificate authority email_ca.cer" as it is written. At this time, the csr has ...more... |
P1.0
11-Jan-10
|
|
| 187 |
|
#43572: "We can use the an issued digital certificate..."
s/the an/an/--Seth Arnold
|
P1.0
05-Jun-10
|
|
| 189 |
|
#43573: "certificate revocation lists (curls)"
s/curls/CRLs/--Seth Arnold
|
P1.0
05-Jun-10
|
|
| 189 |
|
#43575: "revoke the ability to automate create comments"
Suggest remove "automate" and change to "create comments via email".--Seth Arnold
|
P1.0
05-Jun-10
|
|
| 189 |
|
#43576: The receive() method that does S/MIME email validation and comment parsing doesn't actually make sure that:
(a) the user rating the venue actually booked the venue.
The venue finder should be replaced with something like this:
user = User.find_by_email(cert_email[1])
venue = user.venues(id)
Otherwise someone could easily rate venues they've never booked.
(b) that the date the user attempts to rate the venue has already passed (perhaps it makes sense to let voters rate venues before they have used them -- perhaps venue staff are annoyingly pedantic people :) -- but users could be rating venues they've never used and have no intention of ever using (say, they book the venue for the year 2525 or something.)--Seth Arnold #43576: The receive() method that does S/MIME email validation and comment parsing doesn't actually make sure that:
(a) the user rating the venue a ...more... |
P1.0
06-Jun-10
|
|
| 189 |
|
#43577: "lunchedin@gmail.com" -- we have example.com/net/org for a reason :)--Seth Arnold
|
P1.0
06-Jun-10
|
|
| 192 |
|
#43578: "You can learn more about option this in..."
s/option this/this option/--Seth Arnold
|
P1.0
06-Jun-10
|
|
| 214 |
|
#43579: Decide.erb has commented HTML included.
The decision action has commented "Not sure we should nil this out here" :)--Seth Arnold
|
P1.0
06-Jun-10
|
|
| 219 |
|
#43580: "It's primary intended use was to provide"
s/It's/Its/--Seth Arnold
|
P1.0
06-Jun-10
|
|
| 241 |
|
#43581: "but false if the call not complete"
s/call not/call did not/ (or rewrite to more-active "failed". :)--Seth Arnold
|
P1.0
06-Jun-10
|
|
| 248 |
|
#43582: "SPNEGO can operate over many different of network protocols."
s/different of/different/--Seth Arnold
|
P1.0
06-Jun-10
|
|
| 255 |
|
#43583: environment.rb includes a comment # BEGIN_HIGHLIGHT that feels like it was intended for the pragprog hamsters. :)--Seth Arnold
|
P1.0
06-Jun-10
|
|
| 256 |
|
#43584: "In this file, all we modify only the skip_before_filter"
s/all we modify only/we only modify/--Seth Arnold
|
P1.0
06-Jun-10
|
|
| 1997 |
uWoCY |
#50322: He left me and my unborn son all alone. I dont know what to do and im so depeessrd and dont accept these conditions. Right away instead of going to friends for advice or playing the same game he did, I went straight to church. All i do is pray and read the word asking God to help me get through this and restore my family. I dont want my son being raised in a broken family like I was. Now is when im really seaking God and the only time when im not crying and depeessrd is when im learning his word. Im trying to pray for my babys father that he changes, that God can touch his heart and that he can be a great father and future husband to me. I dont know what to do anymore. Everytime i pray more things seem to get worse.--MMgtkpxaSLIMI #50322: He left me and my unborn son all alone. I dont know what to do and im so depeessrd and dont accept these conditions. Right away instead of goi ...more... |
P1.0
07-Dec-12
|
|
| 1997 |
Tvcxd |
#50329: Nice improvement. I was goinofg around with my blog last night and created some tabs as well. (If anyone visited around 11:45 PM you might have saw them). I took them down because they were underdeveloped, but I think I'm going to give a little more thought to it and follow suit. I'm enjoying the additional functionality that blogger or 3rd parties are providing now. A widget you might like is called Outbrain (www.outbrain.com). I added it to my blog last night too; it allows readers to rate (from 1 to 5 stars) or recommend (give a thumbs up) each your posts, as well as lists additional posts of yours they might like to read.--WmZLuyDFONvHyj #50329: Nice improvement. I was goinofg around with my blog last night and created some tabs as well. (If anyone visited around 11:45 PM you might h ...more... |
P1.0
07-Dec-12
|
|
