Ruby on Rails 2.3.4: Security Fixes
Posted by michael September 04, 2009 @ 06:04 AM
We’ve released Ruby on Rails 2.3.4, this release fixes bugs and introduces a few minor features. Due to the inclusion of two security fixes, all users of the 2.3 series are recommended to upgrade as soon as possible.
Security Fixes
2.3.4 contains fixes for two security issues which were reported to us. For more details see the security announcements:
Bug Fixes
Thanks to the success of the BugMash we have around 100 bug fixes as part of this release. Of particular not is the fix to reloading problems related to rack middleware and rails metals when running in development mode.
Just an FYI you have a misspelling (missing “e”) in the second sentence under Bug Fixes. “Of particular not(e)”
I’m loving it. How to use the seeds.rb? Is any mannual?
I’m getting lots of deprecation warnings wrt ActiveRecord::Errors#generate_message:
DEPRECATION WARNING: ActiveRecord::Errors#generate_message has been deprecated. Please use ActiveRecord::Error#generate_message.. (called from generate_message at /Users/jeroen/Projects/java/jruby-1.3.1/lib/ruby/gems/1.8/gems/activerecord-2.3.4/lib/active_record/validations.rb:324)
Any ideas what is causing these warnings and what i have to change in my app?
Thanks for the hard work! My tests take about 15% more time to complete with 2.3.4 versus 2.3.3.
Any ideas where the slowdown comes from?
Thanks, seems that the future of technology is really stunning!
@Jeroen I also got a ton of those deprecation warnings. For me this was because I was using the Remarkable gem which calls that method. It did this:
model.errors.generate_message(attribute, message, :count => ‘12345’)
I modified that to:
::ActiveRecord::Error.new(model, attribute, message, :count => ‘12345’).to_s
and now I have no deprecation warnings anymore.
Does anybody else get similar error from migrating from rails 2.3.3 to 2.3.4:
ActionView::TemplateError (undefined method `^’ for 1)
It seems removing old cookie from browser fixes the bug however now I probably should force to clean all users cookies when they visit a site.
Anyhow, db:seeds is nice new feature indeed!
@Lawrence Thanks! I’m also using the Remarkable gem. I suspected that that was causing the trouble.
Sounds great – always good to see kaizen in your framework of choice.
I know this probably isn’t the place, but our team has been getting a few ‘uninitialized constant’ errors upon upgrade.. specifically Rails::Initializer::Digest for some devs and ActionController::AbstractResponse for others.
@Priit,
same error here, in my app it seems related to an incompatibility with authlogic (2.1.1).
The error is generated by the new Timer Weakness patch.
No way to get it works.
Error log below:
NoMethodError (undefined method `^’ for 6): authlogic (2.1.1) lib/authlogic/session/session.rb:54:in `update_session’ authlogic (2.1.1) lib/authlogic/session/callbacks.rb:75:in `after_persisting’ authlogic (2.1.1) lib/authlogic/session/persistence.rb:59:in `persisting?’ authlogic (2.1.1) lib/authlogic/session/persistence.rb:39:in `find’ app/controllers/application_controller.rb:184:in `current_user_session’ app/controllers/application_controller.rb:189:in `current_user’ app/controllers/application_controller.rb:193:in `require_user’ <internal:prelude>:8:in `synchronize’ /usr/local/lib/ruby/1.9.1/webrick/httpserver.rb:111:in `service’ /usr/local/lib/ruby/1.9.1/webrick/httpserver.rb:70:in `run’ /usr/local/lib/ruby/1.9.1/webrick/server.rb:183:in `block in start_thread’
Getting errors when attempting to update from Rails 2.3.3 to 2.3.4 on Windows
D:\> gem update rails Updating installed gems Updating rails ERROR: While executing gem … (Zlib::BufError) buffer error
After 5 attempts, gem update succeeded… Don’t know if problem is intermittent or just my installation.
Thanks for this security fix. You also updated rubygems from 1.3.1 to 1.3.2. But in production in Debian, we can’t update rubygems if it’s installed via aptitude.
Waiting for rubygems to be supported in this version by every packages systems should be a good idea.
This introduced a VERY severe bug as Pritt and Stid mentioned: https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/3144-undefined-method-for-string-ror-234
Basically kills rails for Ruby 1.9. DO NOT UPGRADE TO 2.3.4 IF YOU ARE USING RUBY 1.9 or your app will becoming unusable.
Seems to break seed_fu with model names that end with “error”.
Following now raises an error
TestError.seed(:test_id, :error_id) do |f| f.test_id = 1 f.error_id = 1 end
Here is output Seed from db/fixtures/test_error.rb ======================= rake aborted! undefined method `find’ for ActiveRecord::Error:ClassThanks for the quick XSS fix :-)
I posted a quick intro to a few ways that you can use the new seeds feature on my blog:
I updated my app from rails 2.3.3 to rails 2.3.4. As a result, my app became very slow in view (100ms => 400~500ms). Does anyone have the same problem?
Authlogic fail 2.3.4 seems to be related to ruby 1.9.1. I have the same problem when I update to 2.3.4 and ruby 1.9.1, but revert to ruby 1.8.7 with 2.3.4 the error did not happen.
This is a terrible and very irresponsible release.
This release breaks any installation that is running on ruby 1.9 or above. Somebody did a really bad planing job here, how could you release something like during a US holiday weekend. WTF!
@tankwanghow Oh, really? I use ruby 1.8.7 (and restful_authentication).
This is an outrageous issues which was introduced in the latest rails update.
https://rails.lighthouseapp.com/projects/8994/tickets/3144
@stid: I get the same error with skeleton rails app as well, so the bug scope should be with new the secure_compare method at active_support/message_verifier.rb. I’ll try to investigate it a bit more later.
sudo gem install rails—version “2.2.3” ERROR: could not find gem rails locally or in a repository
What am I missing? Works for Rails 2.2.2
Rock on with db:seed! I had something similar in my own code and we were about to pull it across into a production app! Cheers all.
If your app is running on Phussion Passenger make sure your Apache is using the latest Passenger 2.2.5 gem if you redeploy with Rails 2.3.4 frozen into your app otherwise you will see some weird 500’s with a stack trace looking like:
Status: 500 Internal Server Error undefined method `rewind’ for IO
(or UNIXSocket)
I second Mukund on the complain here. Gem package for announced 2.2.3 version can’t be found anywhere.
Thank you so much Priit!!! It took me ages to find that all I needed to do to get rid of the weird `^’ error was to clear the cookies for the site! I am in your debt!
It turns out that clearing the cookies only fixes the error until the session is written to again. As soon as rails tries to access the session to corrupt information breaks the applciation again. Anyone have any ideas on this? Running rails 2.3.4
Ok, so there is a patch available for this issue. For anyone else struggling with this problem you can find the patch here:
https://rails.lighthouseapp.com/projects/8994/tickets/3144/a/261015/0001-ruby-1.9-friendly-secure_compare.patch
I have tested this and the problem is fixed in my environment. Hope this saves someone else a headache!
Running rails 2.3.4 with ruby 1.9
This patch adds significant load. Perhaps it could be rewritten in a way that would allow high traffic sites to use it?
doing: >> 10000.times {ActiveSupport::Multibyte.clean(“dfgasdfgafshadfhafdhadfhadfhafd”)}
takes roughly 3 seconds on my macbook pro…
Fitz – the secure_compare.patch is exactly what I need, I think. But I have no idea how to apply it. I need to apply it to my local windows and to our suse linux server.
Does anyone have a good “how to apply a RoR patch”?
Thanks!
There are some small things left for announcing the new release:
The Ruby On Rails home page still talks about Version 2.3.3 as newest version.
There are fine release notes, but they are hard to find on the ROR webpage (when I don’t go over this blog page) I think they should be linked somewhere on the “documentation” page: http://rubyonrails.org/documentation
Its shocking to see a release has not yet happened. rails 2.3.4 has a show-stopping bug for ruby 1.9, (which ruby-lang.org promotes as the standard ruby), reported in lighthouse (#3144) on the day 2.3.4 was released and 14 days later there is no 2.3.4.1 or 2.3.5 yet.
@Don agreed!
@Michael Seriously? Perhaps some “high-traffic site” maintainer could rewrite it to work as they would expect.
Because with “high-traffic” you are implying that it’s not a toy, which, if the case, means that you are asking people who are not making any revenue of this site to fix it for the people that do.
That my friend, is the world upside down.
Also: https://rails.lighthouseapp.com/projects/8994/tickets/3158-multibyte-cleanup-cleanup-performance-and-readability
Please pay your respects to the people making this all possible or contribute yourself, instead of whining.
</two>Nice to see the rails 2.3.4
There is not any information about rails 2.3.4 in the http://rubyonrails.org/
I am trying to find the ticket for the “fix to reloading problems related to rack middleware and rails metals”.
Dug around but couldn’t find it on https://rails.lighthouseapp.com. Does anyone know the ticket number?
I reverted my rails to 2.3.3 with:
gem install -v 2.3.3
using gem install—version=”2.3.3” cause broken pipe ERROR: While executing gem … (Gem::RemoteFetcher::FetchError) Errno::EPIPE: Broken pipe (http://gems.rubyforge.org/gems/actionmailer-2.3.3.gem)