Friday, October 5, 2007

Rails 1.2.4: Maintenance release

Posted by David

This release contains additional deprecation notices, security fixes and some minor performance improvements. All users of 1.2.3 are advised to upgrade.

Deprecation Notices

If you intend to upgrade to 2.0 you should run your tests to and fix any errors that are displayed. The warnings will become errors with the release of 2.0.

If you’re using RESTful routing, pay special attention to the changes to route generation and recognition. The previous use of the semicolon in URLs has been replaced with a regular /. For instance /person/1;edit has become /person/1/edit. This change was made as several libraries, including mongrel, mistakenly treated semi-colons as query string seperators and some browsers and http libraries misbehaved.

Your old ;-based URLs will be continued to be recognized, though. They’re just no longer generated.

Security Enhancements

1.2.4 fixes several potential security issues:

  • Session fixation attacks are mitigated by removing support for URL-based sessions
  • Changed the JSON encoding algorithms to avoid otential XSS issues when using ActiveRecord::Base#to_json
  • Potential Security and performance problems with XmlSimple have been fixed by disabling certain dangerous options by default.

Upgrade with the standard gem install rails command. Rails 1.2.4 serves as a drop-in replacement for 1.2.3.

Update: please see the latest 1.2.5 stable release