small medium large xlarge

Errata for Security on Rails

 

The latest version of the book is P1.0, released over 6 years ago. If you've bought a PDF of the book and would like to upgrade it to this version (for free), visit your home page.

By default this page displays the errata for the latest version of the book. If you have a previous version, select it here:

If you've found a new error, please submit it.

  • Typo
  • Tech. error
  • Suggestion
  • Maybe next edition
  • Not a problem
  • Reported in: P1.0 (28-Sep-10)
#45164
PDF page: birtleneum
Paper page: birtleneum

back investigate developed--birtleneum

  • Reported in: P1.0 (28-Sep-10)
#45165
PDF page: austenhutc
Paper page: austenhutc

available disputed benefits sea--austenhutc

  • Reported in: B5.0 (10-Sep-10)
#44971
PDF page: faerwaldsh
Paper page: faerwaldsh

science live details lime--faerwaldsh

  • Reported in: B5.0 (10-Sep-10)
#44972
PDF page: walbylenno
Paper page: walbylenno

glacier evaporation down developed--walbylenno

  • Reported in: B5.0 (24-Nov-09)
#41620
PDF page: 19

The second-to-last bullet point reads "Writing code that fails close". It should likely read "Writing code that fails closed".--Phillip Calvin

  • Reported in: P1.0 (25-Feb-11)
#46476
Paper page: 21

para 2: the URL .../profile/new should be .../users/new--Allan Kinnaird

  • Reported in: P1.0 (25-Feb-11)
#46479
Paper page: 21
para 2: "Click the Tamper button in the dialog box, as shown in Figure 2.6" should read "Click the Tamper button to bring up the dialog box shown in F...more...
  • Reported in: P1.0 (25-Feb-11)
#46480
Paper page: 21

para 3: "Control-click the column" should read "Control-click the Post Parameter column"--Allan Kinnaird

  • Reported in: P1.0 (28-Feb-11)
#46494
Paper page: 21...
Example code download: The Partial lunchedin_broken/app/views/tags/cloud.html.erb needs to be renamed .../_cloud.html.erb (and 14 other instances of t...more...
  • Reported in: P1.0 (28-Feb-11)
#46495
Paper page: 21...
The migration 007_create_tags_venues should be modified to read: ...create_table :tags_venues, :id => false do |t|... to prevent the creation of a ...more...
  • Reported in: P1.0 (01-Mar-11)
#46496
Paper page: 32...

The XSS exploits in section 2.6 appear not to work in Rails 3.0.5 and Firefox 3.6.13 (Hooray?)--Allan Kinnaird

  • Reported in: P1.0 (09-Dec-09)
#41766
PDF page: 39
On SQL injection on the statement page 39 SELECT * FROM users WHERE (username = 'wally' AND password = 'fakepass' or 'a' = 'a') LIMIT 1 will mat...more...
  • Reported in: P1.0 (02-Jan-10)
#41980
PDF page: 61
These anti-xss whitelists don't cover unicode character sets, which are required for name and address entry in international applications. A curre...more...
  • Reported in: P1.0 (05-Jun-10)
#43566
PDF page: 116

The LDAP authentic?() method on page 116 hard-codes all the values that should be read from the LDAP_CONF, as done on the next page.--Seth Arnold

  • Reported in: P1.0 (05-Jun-10)
#43567
PDF page: 135
The description of MAC versus DAC authorization is entirely wrong. :) Discretionary access control is when object owners are allowed to specify whi...more...
  • Reported in: B5.0 (07-Dec-09)
#41740
PDF page: 138
I think some explanation and a figure have disapeared from the end of p.138 / begining of p.139: Figure 7.5 does not show that Bob is denied access...more...
  • Reported in: P1.0 (05-Jun-10)
#43571
PDF page: 151

"We can do this by providing something functionality along these lines..."

s/something functionality/something functionally/--Seth Arnold

  • Reported in: P1.0 (05-Jun-10)
#43569
PDF page: 159
I think the description of symmetric versus asymmetric cryptography could use some extra exposition. Instead of: For the purposes of the book, we c...more...
  • Reported in: P1.0 (09-Dec-09)
#41762
Paper page: 161
Text: Key distribution is not required as the same application decrypts and decrypts information. Should read: Key distribution is not required a...more...
  • Reported in: P1.0 (09-Dec-09)
#41763
Paper page: 164
Text: Let’s add a security question to LunchedIn to help us authenticate a user that has managed to loose their password. "loose" should be "lose"...more...
  • Reported in: P1.0 (05-Jun-10)
#43570
PDF page: 165
"That said, both RSA and DSA serve as excellent starting points for encryption." DSA cannot be used with encryption. (DSA was selected to become th...more...
  • Reported in: P1.0 (05-Jun-10)
#43568
PDF page: 172
Something about the voice of the introductory paragraph of section 9.1 struck me as aimed at the entirely wrong audience: "As a resident of the Wor...more...
  • Reported in: P1.0 (11-Jan-10)
#42054
PDF page: 180
In figure 9.4, the CSR mays not include "the public key of the certificate authority email_ca.cer" as it is written. At this time, the csr has nothing...more...
  • Reported in: P1.0 (05-Jun-10)
#43572
PDF page: 187

"We can use the an issued digital certificate..."

s/the an/an/--Seth Arnold

  • Reported in: P1.0 (05-Jun-10)
#43573
PDF page: 189

"certificate revocation lists (curls)"

s/curls/CRLs/--Seth Arnold

  • Reported in: P1.0 (05-Jun-10)
#43575
PDF page: 189

"revoke the ability to automate create comments"

Suggest remove "automate" and change to "create comments via email".--Seth Arnold

  • Reported in: P1.0 (06-Jun-10)
#43576
PDF page: 189
The receive() method that does S/MIME email validation and comment parsing doesn't actually make sure that: (a) the user rating the venue actually ...more...
  • Reported in: P1.0 (06-Jun-10)
#43577
PDF page: 189

"lunchedin@gmail.com" -- we have example.com/net/org for a reason :)--Seth Arnold

  • Reported in: P1.0 (06-Jun-10)
#43578
PDF page: 192

"You can learn more about option this in..."

s/option this/this option/--Seth Arnold

  • Reported in: P1.0 (06-Jun-10)
#43579
PDF page: 214

Decide.erb has commented HTML included.

The decision action has commented "Not sure we should nil this out here" :)--Seth Arnold

  • Reported in: P1.0 (06-Jun-10)
#43580
PDF page: 219

"It's primary intended use was to provide"

s/It's/Its/--Seth Arnold

  • Reported in: P1.0 (06-Jun-10)
#43581
PDF page: 241

"but false if the call not complete"

s/call not/call did not/ (or rewrite to more-active "failed". :)--Seth Arnold

  • Reported in: P1.0 (06-Jun-10)
#43582
PDF page: 248

"SPNEGO can operate over many different of network protocols."

s/different of/different/--Seth Arnold

  • Reported in: P1.0 (06-Jun-10)
#43583
PDF page: 255

environment.rb includes a comment # BEGIN_HIGHLIGHT that feels like it was intended for the pragprog hamsters. :)--Seth Arnold

  • Reported in: P1.0 (06-Jun-10)
#43584
PDF page: 256

"In this file, all we modify only the skip_before_filter"

s/all we modify only/we only modify/--Seth Arnold