It's fully functional, and you can switch over to the live OpenStreetMap database by clicking 'dev' in the lower right. Loading and saving data happens via an XHR request to the OpenStreetMap API hosted on http://www.openstreetmap.org. The API supports CORS, making direct cross-origin connections possible.
* RubyGems did not validate SSL certificates (the dreaded OpenSSL::SSL::VERIFY_NONE problem).
* RubyGems allowed HTTPS-to-HTTP redirects. And in fact rubygems.org did redirect gem downloads from HTTPS to HTTP (also fixed).
Either of these mean that an attacker could MITM your `gem install` or `bundle install` and give you malicious gem contents. You'd be owned when you required the gem -- possibly sooner, in fact, because gem install itself provides mechanisms for arbitrary code execution.
It's also important to note that RubyGems does not default to HTTPS. I highly recommend using `source "https://rubygems.org` in your Gemfile and the following in your ~/.gemrc:
With everything Github has done to lower the barrier to contributing to an open source project, it's a shame that the legal climate around software (especially in patent-related areas) makes such things necessary.
I can definitely imagine cases where the time and effort required to get company approval to sign such an agreement would outweigh the benefits of submitting a change upstream; I've been in such a position myself.
I'm curious about the technical details of the CSRF bypass vulnerability. Anyone know what the "combinations of browser plugins and HTTP redirects" that lead to it are?
Same here. Based on the changes made in the patch, it seems like the attack involves being able to make cross-domain requests but not being able to read back the response. I didn't think that was the way Java and Flash behaved.
