Published: 2025-01-10 | Origin: /r/ruby

The content discusses the complexities and vulnerabilities associated with email parsing in web applications, particularly how discrepancies in email address parsing can lead to access control bypasses and remote code execution (RCE). It highlights the lenient standards established by longstanding RFCs (Request for Comments), which complicate the development of reliable email parsers. As a result, many web applications depend on third-party email parsing libraries without fully understanding how they process email addresses, leading to potential security issues when decisions are made based on email domains

Published: 2025-01-10 | Origin: /r/ruby

The post from Doyensec LLC discusses a specific type of vulnerability in Ruby called class pollution, an idea derived from the concept of prototype pollution in JavaScript. Class pollution can be mainly categorized into three types: 1. **Merge on Hashes**: Class pollution is not applicable as the merge operation is contained within the hash. 2. **Merge on Attributes (Non-Recursive)**: This involves poisoning instance variables of an object, potentially replacing methods and altering the object's behavior without affecting the

Published: 2025-01-10 | Origin: /r/ruby

Ruby on Rails is a web framework that utilizes the params object, an instance of ActionController::Parameters, to manage user-provided data through key-value pairs. This object collects data from the request body, query strings, and route paths. A notable vulnerability, called the _json juggling attack, exploits JSON parsing within Rails by allowing attackers to supply a JSON object with a "_json" key. This creates a conflict between single and multi-item JSON structures, leading to potential authorization bypass issues when the authorization

Published: 2025-01-10 | Origin: Hacker News

Failed to fetch content - HTTP Status - 403

Published: 2025-01-10 | Origin: /r/programming

The author announces their decision to fully commit to developing their programming language, jank, by resigning from their current job, effective Wednesday. This choice comes after a decade of exploring programming language design, initially motivated by their need for safer systems with robust compile-time meta programming and improved parallelism beyond what C++ could offer. The author has experimented with various languages, including Rust, Common Lisp, OCaml, Haskell, and Clojure, finding value in Rust and Clojure that significantly

Published: 2025-01-10 | Origin: Hacker News

The content describes a two-player card game called Cuttle, which emerged in North America in the 1970s and is considered one of the earliest examples of a combat card game, predating later games like Magic the Gathering. Players aim to build a layout of cards totaling at least 21 points to win. Each player is dealt a hand of cards from a standard 52-card deck, with one player starting the game. Players take turns playing cards to form their layouts and can attack their opponent

Published: 2025-01-10 | Origin: /r/programming

OpenTofu has released version 1.9.0, marking the one-year anniversary of its initial 1.6 release. This update introduces several long-requested features, notably the provider for_each, facilitating multi-zone and multi-region deployments. As part of their support policy, 1.6 is no longer supported and users are encouraged to upgrade to at least 1.7. The release saw a remarkable increase in usage, with registry requests tripling to over 6 million per day

Published: 2025-01-10 | Origin: Hacker News

The ECOSCOPE report by Laurence Boone, Boris Cournède, and Marissa Plouin discusses the impact of the COVID-19 pandemic on homelessness across OECD countries. In response to rising homelessness, many governments implemented significant public support measures, such as quickly providing housing to homeless individuals. The report highlights the UK as an example, where individuals living on the streets or in shelters were housed in individual accommodations within days. To sustain this progress, the report looks to Finland's long-term strategy, which

Published: 2025-01-10 | Origin: /r/programming

The organization values and carefully reviews all feedback received. For information on available qualifiers, please refer to their documentation.

Published: 2025-01-10 | Origin: /r/programming

CyberInsider reports on a recent investigation by Wladimir Palant, which reveals that many Chrome Web Store extensions exploit a loophole to manipulate search rankings using misleading descriptions and irrelevant keywords. This manipulation clutters search results, often burying legitimate extensions under unrelated options. Developers are taking advantage of Chrome's multilingual support by filling less-used language fields with competitive keywords, affecting global search results. For instance, searching for "Norton Password Manager" sometimes yields unrelated extensions at the top. Despite Google's policies against

Published: 2025-01-10 | Origin: /r/ruby

On January 10, 2025, Maxime Chevalier-Boisvert announced the release of a new version of YJIT, which is designed to be faster, more stable, and more memory-efficient than previous versions. The prior year's release had successfully boosted performance, encouraging many businesses to upgrade their Ruby deployments, which was a significant change from the past when many were several versions behind. YJIT 3.4 is reported to be approximately 92% faster than the CRuby

Published: 2025-01-10 | Origin: Hacker News

Daniel Wirtz shared a brief update about his blog, which features a menu for navigation, options for dark mode, and sections for books, bookmarks, and tools. Additionally, he invites readers to subscribe to his blog for further content.

Published: 2025-01-10 | Origin: Hacker News

Some programming languages struggle with obscurity, lack of usage, or overly ambitious feature sets. For instance, languages like Fortress have complex type systems that hinder initial implementations. Others, like BF (Brainfuck) and Scheme, have many implementations but not enough actual use, as developers often prefer to create their own versions instead of using existing ones. Shen, a multiparadigm Lisp with a minimal specification, also faces this issue, evidenced by numerous implementations but few libraries. Forth follows a similar trend where

Published: 2025-01-10 | Origin: /r/programming

Li Haoyi's article, dated January 10, 2025, discusses the role and functioning of garbage collectors (GCs) in programming languages, particularly focusing on the Java Virtual Machine (JVM). While GCs are essential for managing program memory, they can sometimes malfunction in unexpected ways. The article aims to provide readers with a deeper understanding of JVM garbage collectors, including their fundamental design and performance benchmarks. It begins with a simple example of a garbage collector to illustrate how memory management works,

Published: 2025-01-10 | Origin: /r/programming

Failed to fetch content - HTTP Status - 403

Published: 2025-01-10 | Origin: /r/programming

The article discusses how large language models (LLMs), like ChatGPT, deal with conflicting and outdated information found on the internet. It highlights that LLMs are trained on vast datasets that contain both current and historical information, leading to situations where they may recognize multiple, contradictory pieces of information as valid. The author uses the example of mountain heights to illustrate these inconsistencies, noting that similar principles apply to other domains such as medication dosages and programming guidelines. The article emphasizes that LLMs lack

Published: 2025-01-10 | Origin: Hacker News

Gleam v1.7.0 was released on January 5, 2025, highlighting significant improvements to the language, which is designed for the Erlang virtual machine and JavaScript runtimes. Notably, the update introduces monomorphisation of record updates, enhancing performance by eliminating runtime conditional logic, thus generating efficient case-by-case code for record creation without increasing compile time or code size. This optimization allows for safe changes to parameterized types during record updates, which was previously restricted

Published: 2025-01-10 | Origin: /r/ruby

The article explains the concept of lazy enumeration in Ruby using the Enumerator::Lazy class, emphasizing its advantages for processing large datasets and building complex data transformation pipelines. It contrasts lazy enumeration with eager enumeration through a visual demonstration. In eager enumeration, method calls are evaluated sequentially, requiring each previous step to be completed before proceeding. This is illustrated as "vertical" enumeration, where each operation produces a new collection one after the other. In contrast, lazy enumeration processes elements "horizontally," evaluating each

Published: 2025-01-10 | Origin: Hacker News

Kagi is a new subscription-based search engine that offers a unique approach to web searching for $10 a month, promising users high-quality search results without the distraction of ads. Unlike traditional search engines, Kagi operates on a user-centric model, prioritizing user needs over ad revenue. The service has gained attention for its potential to improve the overall search experience amid concerns over declining quality in existing platforms like Google and social media sites like Twitter and Reddit. Users might find Kagi a compelling alternative, especially

Published: 2025-01-10 | Origin: Hacker News

Wildfires are currently affecting the greater Los Angeles area, destroying over 1,300 structures and prompting evacuation orders for nearly 180,000 people. Despite the crisis, TikTok employees in LA have been instructed to either work from home or use personal/sick days if unable to do so, as the office remains closed due to power outages from high winds. The Palisades Fire has been visible from the TikTok office, and many employees are facing challenges such as lack of power and internet,