Chris Shiflett writes a clear recap of the GitHub ssh key exploit. A little scary that Rails doesn’t make form field checking easy.

For those of you more familiar with PHP, imagine a feature like register_globals, but instead of injecting arbitrary form data into the global namespace, it injects arbitrary form data into the database. It might as well be called opt-in SQL injection, but even that’s being too generous, because this is much easier to exploit than an SQL injection vulnerability.

Chris Shiflett ▪ Hacking Rails (and GitHub).

http://shiflett.org/blog/2012/mar/hacking-rails-and-github