Thanks Fred. Two more questions:
Frederick C. wrote:
Normal js files are just served as-is (and if you have set things up
right never even touch rails at all (ie they are server directly by
nginx or apache)).
if you have an action that renders a .js.erb template you’ll get what
Yes, I ran across some references to “.js.erb” files; unfortunately I
have not found much of an explanation of them. I have a couple of books
from the library (“The Art of Rails”, IMO at best mediocre, and “Ajax on
Rails” which seems great).
I even grepped through the API for “.js.erb” and it’s not in there
even once…perhaps the suffix recently changed? Anyway, any pointers
to reading material here would be much appreciated.
I have a sneaking suspicion that would allow an attacker to read any
file on your hard disk (by passing the absolute path to the file as
I just tried that; it might work if the filename has a _ for a prefix,
but I doubt that since the server error also refers to the “views path
I am just working at home while learning anyway. I was surprised when I
noticed I get unrestricted access to the filesystem by default; I
presume WEBrick was not intended for security. I would assume that
if/when I put something up on a real server, they will not be permitting
that possibility if it can be prevented? Otherwise I’m surprised anyone
hosts Rails at all…but further thoughts from anyone would be welcome.