Rails 1.2.4: Maintenance release

Posted by David October 05, 2007 @ 04:38 AM

This release contains additional deprecation notices, security fixes and some minor performance improvements. All users of 1.2.3 are advised to upgrade.

Deprecation Notices

If you intend to upgrade to 2.0 you should run your tests to and fix any errors that are displayed. The warnings will become errors with the release of 2.0.

If you’re using RESTful routing, pay special attention to the changes to route generation and recognition. The previous use of the semicolon in URLs has been replaced with a regular /. For instance /person/1;edit has become /person/1/edit. This change was made as several libraries, including mongrel, mistakenly treated semi-colons as query string seperators and some browsers and http libraries misbehaved.

Your old ;-based URLs will be continued to be recognized, though. They’re just no longer generated.

Security Enhancements

1.2.4 fixes several potential security issues:

  • Session fixation attacks are mitigated by removing support for URL-based sessions
  • Changed the JSON encoding algorithms to avoid otential XSS issues when using ActiveRecord::Base#to_json
  • Potential Security and performance problems with XmlSimple have been fixed by disabling certain dangerous options by default.

Upgrade with the standard gem install rails command. Rails 1.2.4 serves as a drop-in replacement for 1.2.3.

Update: please see the latest 1.2.5 stable release

Posted in Releases | 38 comments

Comments

Leave a response

  1. Alex Egg on 05 Oct 04:50:

    first comment

  2. crayz on 05 Oct 04:52:

    In the 2.0PR article it says to gem install with: gem install rails—source http://gems.rubyonrails.org

    Doing this now installs 1.2.4 instead though. Any quick way to gem install 2.0PR, or do we need to use SVN instead?

  3. Koz on 05 Oct 05:39:

    @crayz: We’ll fix this up in a bit, for now use the rake approach to freeze.

  4. Eric Hodel on 05 Oct 05:58:

    “[...] This change was made as several libraries, including mongrel, mistakenly treated semi-colons as query string seperators and some browsers and http libraries misbehaved.”

    Reading the URI spec, Rails got it wrong, not the several libraries, mongrel and some browsers. Its clear from the grammar that the param following the ”;” is part of the path, not part of the query string. See RFC 2396 Section 3.3 Path Component. If you expect to use a ”;” to separate query parameters, it must follow a ”?” per Section 3 and appendix A.

    Its very un-cool to put incorrect information about spec-compliant libraries in your release announcement when Rails made the wrong choice to begin with.

  5. JM on 05 Oct 06:03:

    After the update “rails v” is still giving me 1.2.3 - I can see in the checkin history where the individual version numbers got bumped but don’t see this version changed anywhere. My update was successful…anyone else?

  6. Adam on 05 Oct 06:18:

    @Eric: I think you have misread the post. It says mongrel mistakenly treated semi-colons as query string separators. Your reference to the RFC demonstrates that a semi-colon should not be considered part of the query string, but rather as part of the path.

    Anyway thanks for the update rails core. Will check it out and run my tests.

  7. parasew on 05 Oct 06:50:

    dugg! ;)

  8. Eric Hodel on 05 Oct 08:18:

    @Adam: I don’t see where the spec defines any structure for the query string. Parsing it is up to the application, not the server.

    One of the real problems here is that /person/1;edit and /person/1 are the same file according to spec. Trying to blame spec-compliant libraries for a change to mongrel isn’t cool.

  9. Senthil Nayagam on 05 Oct 08:26:

    eagerly awaiting rails 2.0 and thanks for replacing semicolons with forward slashes for restful routing, as it was difficult to explain the choice to new rails learners and user of rails 1.1.x

  10. Skyblaze on 05 Oct 09:37:

    We want the new AWDWR book updated for rails 2.0!!!:)

  11. Jeremy Kemper on 05 Oct 09:51:

    Eric, it’s debatable and has been. Since you wish to, please take it to the mailing list.

  12. Chuck on 05 Oct 10:48:

    Did asset_host not make it into 1.2.4? Using:

    ActionController::Base.asset_host = “assets%d.fiddle.com”

    Results in paths like:

    src=”assets%d.fiddle.com/images/hello.png”

  13. DHH on 05 Oct 13:42:

    Chuck, that’s a Rails 2.0 feature.

  14. Ryan on 05 Oct 17:51:

    I’m hoping this isn’t a silly question, but why was the semicolon chosen as the delimiter initially?

    I remember being confused by the choice when it was initially announced, but don’t recall an explanation for the choice over doing something like what is discussed here.

  15. Sam Granieri on 05 Oct 18:57:

    I second Sklyblaze’s request for an updated version of AWDWR

  16. Sam Granieri on 05 Oct 18:57:

    I second Sklyblaze’s request for an updated version of AWDWR

  17. Roberto Villegas on 05 Oct 20:51:

    I was just curious if there is a list of all the things deprecated within 1.2.4. If not, no worries then.

  18. Koz on 05 Oct 20:51:

    @Ryan: The semi colon is a ‘non hierarchical’ path separator. Which has the academically appealing property that:

    http://example.com/people/1;edit

    is a ‘peer’, rather than a child of

    http://example.com/people/1

    Which is academically clever, but basically unsupported in most libraries :)

  19. Ryan Platte on 06 Oct 16:16:

    If the semicolon issue is debatable, then why state in the Rails blog that Mongrel and other libraries and browsers’ behavior is mistaken? How about wording it in a neutral way that just says there isn’t consensus? Then everyone can save face.

  20. dylan on 06 Oct 19:55:

    @semicolon issue:

    Now it’s time to hurt your feelings as I upsets software industry fan Hey yo my man look at my hand they look human right? You think I’m a monster ill circus clown Not a specimen don’t look at me funny when I come around.

    Leave me alone, leave me alone! (Politics, politics..)

  21. ben on 07 Oct 03:17:

    Using rails:freeze:edge means we can’t use the 2.0 PR to create a new Rails project, right? It would be nice to be able to do so in order to see the defaults.

    Love the additions to 2.0, thanks guys!

  22. Simon Nicholls on 07 Oct 09:29:

    If you really need the gem, you could always check the latest at the rails repository:

    gem query -n ‘^rails$’—remote—source http://gems.rubyonrails.org

    Then fetch the appropriate version:

    gem install rails -v 1.2.3.7707—source http://gems.rubyonrails.org

    Obviously avoid updating the gem for now, since you’ll get 1.2.4 again.

  23. Maia on 07 Oct 22:34:

    Just a quick warning: if you’re on a 256MB VPS, running “sudo gem install rails” takes an hour or more, as it’s grinding the server to death.

    I’ve killed mongrel, mysql and apache before, the gem process eats up to 340MB virtual and 210MB res, and the the server spends 99% of the time swapping memory (load average >4).

    I can’t remember having seen this problem 3 months ago when initially setting up the server and installing rails 1.2.3.

  24. Maia on 08 Oct 00:05:

    Update to the post above: I’m now at 135 minutes and currently staring at “Installing ri documentation for activerecord-1.15.4…”. I assume all the other ri and rdoc install tasks will need at least one more hour, bringing me to a total of more than three hours (!) to upgrade to Rails-1.2.4.

    This is insane.

  25. Keith Pitty on 08 Oct 11:39:

    I suspect I’m having a similar problem on my VPS. What are the memory requirements for this upgrade?

  26. Maxime on 08 Oct 13:11:

    Thanks for this release!

  27. Ngoc on 08 Oct 18:03:

    I don’t use the generated document, so to install Rails:

    gem install rails—no-rdoc—no-ri

  28. Sheldon Hearn on 09 Oct 08:00:

    The last time Rails had a security problem, you guys handled it pretty badly in terms of disclosure.

    You then set up a rubyonrails-security Google Group, which lots of people joined, hoping you’d follow best practice around disclosure, going forward. You said you would.

    But sadly not. You’ve released a new version of Rails that addresses security issues, but haven’t posted anything to the rubyonrails-security group.

    You would do well to consider that being intuitively brilliant at web2.0 doesn’t make you intuitively brilliant at security release management, and that it might be wise to adhere to conventional wisdom in this area until you have a better idea.

    Requiring systems managers and developers to read your blog to keep updated on security issues is not a better idea.

    Ciao, Sheldon.

  29. Tex on 09 Oct 13:13:

    I want to upgrade my rails installation on vendor rails from 1.2.3 to 1.2.4 version:

    1. gem update => installed rails 1.2.4 ok 2. delete vendor/rails from application 3. run rake rails:freeze:gems

    Result: Freezing to the gems for Rails 1.2.4 rake aborted! uninitialized constant Gem::CommandManager::BuildCommand (See full trace by running task with—trace)

    And now the trace:
    • Invoke rails:freeze:gems (first_time)
    • Execute rails:freeze:gems Freezing to the gems for Rails 1.2.4 rake aborted! uninitialized constant Gem::CommandManager::BuildCommand /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:2028:in `const_missing’ /usr/lib/ruby/site_ruby/1.8/rubygems/cmd_manager.rb:52:in `initialize’ /usr/lib/ruby/site_ruby/1.8/rubygems/cmd_manager.rb:46:in `new’ /usr/lib/ruby/site_ruby/1.8/rubygems/cmd_manager.rb:46:in `instance’ /home/tex/test/lib/rubygems/gem_runner.rb:26:in `run’ /usr/lib/ruby/gems/1.8/gems/rails-1.2.4/lib/tasks/framework.rake:26 /usr/lib/ruby/gems/1.8/gems/rails-1.2.4/lib/tasks/framework.rake:25:in `each’ /usr/lib/ruby/gems/1.8/gems/rails-1.2.4/lib/tasks/framework.rake:25 /usr/lib/ruby/1.8/fileutils.rb:121:in `chdir’ /usr/lib/ruby/1.8/fileutils.rb:121:in `chdir’ /usr/lib/ruby/gems/1.8/gems/rails-1.2.4/lib/tasks/framework.rake:24 /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:392:in `call’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:392:in `execute’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:392:in `each’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:392:in `execute’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:362:in `invoke’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:355:in `synchronize’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:355:in `invoke’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:1739:in `top_level’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:1739:in `each’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:1739:in `top_level’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:1761:in `standard_exception_handling’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:1733:in `top_level’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:1711:in `run’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:1761:in `standard_exception_handling’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake.rb:1708:in `run’ /usr/lib/ruby/gems/1.8/gems/rake-0.7.3/bin/rake:7 /usr/bin/rake:16:in `load’ /usr/bin/rake:16

    Someone can help me please ?

  30. rick on 09 Oct 23:29:

    Try upgrading rubygems. Though according to earlier comments, make sure you have plenty of RAM too. This is partly why I don’t use rubygems much anymore …

  31. Tex on 10 Oct 07:08:

    Thanks Rick, you’re right ! I’ve upgraded to rubygems 0.9.4 and now rake rails:freeze:gems works !!! Thank u very much !!!

  32. Krishna on 10 Oct 07:54:

    FYI: if you are using a commercial database (eg oracle), and upgrade to 1.2.4 you will also need to install the appropriate new activerecord-<db-name>-adapter gem.

  33. Jeremy Kemper on 10 Oct 08:21:

    Krishna, that’s for the upcoming Rails 2.0.

    Rails 1.2.4 is a stable release and this step is not required.

  34. Justin Lynn on 11 Oct 02:28:

    For those looking for more information on the security fixes included in this release please see the rubyonrails-security group post at http://groups.google.com/group/rubyonrails-security/browse_thread/thread/239b034f4f808834 or http://www.rorsecurity.info/2007/10/10/rails-124-maintenance-release-security/

  35. Kevin Skoglund on 11 Oct 21:01:

    I’ve posted an upgrade guide that includes tips on how to track down deprecated code.

    http://www.nullislove.com/2007/10/11/rails-version-124/

  36. Sheldon Hearn on 12 Oct 05:51:

    Excellent. Thanks to Michael for posting an advisory to the rubyonrails-security group.

    How free software projects manage security issues is a big deal for a lot of people, and so this is important to Rails developers.

    I know, it sounds crazy; customers who care about what’s under the hood. :-)

    But it happens, and it’s happening more and more, as customers are more and more exposed to the open source environment.

    Thanks, Sheldon.

  37. schroedi on 13 Oct 20:25:

    Well Done. Hope the version 2.0 will come soon

  38. Seo on 15 Oct 17:59:

    Thank you for that release!

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals