Ruby on Rails 2.3.8 Released
Posted by Jeremy Kemper May 25, 2010 @ 04:52 AM
The 2.3.7 release slipped out the door too hastily. Fixing compatibility with the rails_xss plugin inadvertently forced everyone to use it. Facepalm.
I apologize for wasting a chunk of your day on installing what ought to have been a patch-level update only to find it breaks your app. That’s well out of line with our stable release process and it’s my fault for stepping out of it. I got caught up in a sky-is-falling response to a 2.3.6 bug that affected a handful of users and responded with a fix that exposed a new flaw to nearly all users, despite testing and sanity checking.
Thanks for all your feedback today. We hear you, and yes, a thousand times yes. Every stable release, including point releases, deserves the same methodical drumbeat on its march from git stable to to .pre gem to final gem. Expect no less.
Now, on to the gem-cutting: Rails 2.3.8 is available now, bringing us back to stable ground.
Jeremy great work, we all know that was not your fault.
It’s realy working? :)
Good response. Thanks. I’m testing it Today.
Glad to see the quick turn around.
Thank you Jeremy (and Nathan, Santiago, Yehuda and Jose) for your work on this latest release.
Just upgraded. Everything is running smooth :)
too fast, too furios..
Thanks for the new release. The test suite for our application (not using the rails_xss plugin) passed on 2.3.6 but had many failures on 2.3.7 due to output being escaped that shouldn’t have been (Lighthouse #4681). After upgrading to 2.3.8, our tests run again with no failures.
You have given me years of work and cost me mere minutes in return. We all wish it didn’t happen, but in the grand scheme of thing, it’s irrelevant (does anyone even remember the similar 1.2.3-> 1.2.6 kerfuffle?)
Thanks for saying ‘the buck stops here’ though. In mt client environments, accountability is respected.
Luckily updating is easy. just “bundle install—relock” and we’re done :)
Thanks :)
redirect_to :controller=>‘foo’, action=>‘bar’
where foo is another controller. now gives me the “You are being redirected.” page?
just updated from 2.3.5 to 2.3.8
any pointers?
Теперь так и будет – по версии в день?
Thanks! We´re back on track.
“You have given me years of work and cost me mere minutes in return.”
+1
Thank you, I will check and plan to upgrade.
ga pertamax yg penting pejwan,
good job!!!
Hm still have a problem with 2.3.8 Got a helper, which generates some html code and some closing tags are escaped.
Like result = xyz + “</tag>”, then that tag is escaped.
Bah! I don’t known, why did you delete my comment? What’s wrong, the name or spam?
I just wrote the “Thank you, I will check and upgrade …”
我不清楚为什么你们要删除我的评论?哪里错了, 名字或是垃圾信息?
我只是写了”谢谢, 我会测试并升级…”
My fault, I’m Sorry
_!!Warning for all i18n Rails apps and 2.3.8
all translations that return an empty string in your views break the application, see : http://github.com/rails/rails/commit/f7e27bd078c9fa25c2786faf1c499c79155bbb3c#L0R22
After installing Rails 2.3.8 (MacOS 10.6.3) my Rails 2.3.5 application runs in server mode, but script/console complains:
Loading development environment (Rails 2.3.5) Missing the Rails 2.3.5 gem. Please `gem install -v=2.3.5 rails`, update your RAILS_GEM_VERSION setting in config/environment.rb for the Rails version you do have installed, or comment out RAILS_GEM_VERSION to use the latest version installed
I’m not sure if this was the spot to report this, please let me know if I need to post this somewhere else.
I have upgraded my production server and this seems to be working normally. Must say I have Ruby Enterprise Edition installed on my Mac (and production server).
Rails 2.3 releases are like London buses: you wait ages for one and then three come all at once.
:-)
pacak, ьнед в иисрев оп – тедуб и кат ьрепеТ!
Stuff happens. We all know this. Sometimes it even hits the fan.
Great! Let me update my rails.
/me waits a couple of days to make sure 2.3.9 doesn’t come around too.
Big thanks for handling all this!
Thanks Jeremy!
We’ve wrapped up a form builder which does something similar to what Skully (#18) explains. This is still broken in Rails 2.3.8, but had worked fine in previous versions.
I’ll hold off for 2.3.9…
Thank you Jeremy, and the whole team for your tireless work to provide more joy (“and less XML”) for web developers everywhere.
Great job Jeremy! Keep it up!
Thanks for the hard work. It’s still not quite a drop in replacement I’m afraid: h(name)+’
’ # still escapes the HTML. The fix it to add an empty string: ’’h(name)‘
’ # works
Thanks for the hard work. It was almost a drop in replacement but there is one problem left: Adding a string to a rails helper with ”+” will automatically escape the HTML. (Adding a rails helper to a string works OK, as does string interpolation)
Having failures when running cucumber features for clearance on rails 2.3.8.
Not sure if I’m only one getting this (ruby 1.8.7 & 1.9.1) but maybe it’s because of how rails flash is being brought along to be more 3.0ish (seems to be losing the flash on redirects)
We’re having problems with escaped HTML from helpers (similar to comments #18, #30, #34). We were already using the rails_xss plugin and have these helpers marked as safe_helper but it doesn’t seem to have any effect anymore—it is still getting escaped. Is there something we’re missing in order to enable rails_xss to work properly in 2.3.8?
This worked fine in 2.3.5 with the rails_xss plugin from NZKoz’s branch.
Nate (36): I’m seeing the same problems with the flash getting lost on redirects.
I bisected Rails and it was the upgrade to Rack 1.1.0 that caused the issue. However, the flash works for me via the browser, so I’m blaming Cucumber at the moment. I don’t think I have the energy right now to keep digging.
Rails is not on stable ground yet.
@Nate Clark: a fix has been applied after the release of 2.3.8, maybe it fixes these problems. http://github.com/rails/rails/commit/a815f0c5a3a873aefca76f459ce05ddde73080db
I am definitely waiting for 2.3.9 before upgrading.
While I am not blaming anyone personally, these past three releases have been a joke. They nullify any headway into teh enterprise and frankly worry me a little. What steps are being taken to prevent this kind of thing from happening again?
We at Spree will probably wait for 2.3.9 till the issue reported by Skully(#18) is fixed. Stand by.
I still get HTML-safety break even though I’m using rails_xss plugin and rails 2.3.9
Indeed.
Rails 2.3.8 still breaks many helpers that use string concatenation. Waiting for 2.3.9…
I can confirm the issues with helpers and unwanted HTML escaping.. c’mon guys, get your act together.
Flash messages indeed also seem to get lost on redirects. 2 bugs so far and counting..
Flash messages indeed also seem to get lost on redirects. 2 bugs so far and counting..
I can confirm that installing 2.3.8 causes this error in both development and production:
Loading development environment (Rails 2.3.5) Missing the Rails 2.3.5 gem. Please `gem install -v=2.3.5 rails`, update your RAILS_GEM_VERSION setting in config/environment.rb for the Rails version you do have installed, or comment out RAILS_GEM_VERSION to use the latest version installed
Regardless “missing 2.3.5 gem” check tihs page – http://docs.heroku.com/rails236
Thanks for the hard work.
Pout-whiners abound _itching is not helpful, contribute with some bug fixing
Mangaging your application upgrades is your own f*n responsibility, if you jump in blind its your stupid ass decision.
had to be said
In defense of the rails-still-good-for-the-enterprise camp, the enterprise moves so slowly guys would still have tickets in to upgrade to rails 2.0.
Most enterprise shops aren’t upgrading the day something is release (like us nuts are).
Thanks for the new release, but the Authlogic gem stops to work with the next errors: NoMethodError: undefined method `demodulize’ for nil:NilClass from /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.8/lib/active_support/whiny_nil.rb:52:in `method_missing’ from /usr/lib/ruby/gems/1.8/gems/authlogic-2.1.4/lib/authlogic/session/klass.rb:61:in `initialize’ from /usr/lib/ruby/gems/1.8/gems/authlogic-2.1.4/lib/authlogic/session/scopes.rb:79:in `initialize’ from (irb):1:in `new’ from (irb):1
Any ideas?
I got and accepts_nested_attributes_for ‘_delete’ feature broken in Rails 2.3.8
unknown attribute: _delete (ActiveRecord::UnknownAttributeError)
Choo choo! Thanks!
@Apux #50: please stay with Authlogic <2>
Mattax, I too am now seeing the “You are being redirected” message after upgrading. There are quite a number of hits for this issue but no answers yet. Anybody else seeing this, or have a solution?
@Nate Clark #37 try new version of rails_xss plugin. It looks that they made same changes for rails 2.3.8 http://github.com/rails/rails_xss
@Nate Clark #37
Hi so, my problem is solved. I forgot, that I rewrote ActionView::Base.field_error_proc in my config. It was not html_save! so, if I create some validation error, the rails_xss plugin escape it.
Sorry for my englich.
I can confirm the bug with helpers and unwanted HTML escaping. I tried using .untaint to prevent strings from escaping, but without success.
Hi all,
I am an internal recruiter and looking for a RoR developer for one of our offices in Colorado. if you are interested contact me at ameekhof@comverge.com
The problem I reported on #12 has been fixed by moving to thin server. mongrel_rails start still has the problem. passenger is also fine.
The problem I reported on #12 has been fixed by moving to thin server. mongrel_rails start still has the problem. passenger is also fine.
Some helpers, like collection_select still need to be fixed. The error is: ActionView::TemplateError (undefined method `html_safe!’ for 1) on line #9 of app/views/admin/course_classes/_course_classes_search.html.haml:
The line 9: 9: = collection_select(nil, :course, @courses, :id, :name, {prompt: ‘todos’, selected: params[:course].to_i})
Thanks!
Everything works great except for this
Installing ri documentation for rails-2.3.8… Building YARD (yri) index for rails-2.3.8… Unhandled exception in YARD::Handlers::Ruby::Legacy::ModuleHandler: in `lib/rails_generator/generators/components/helper/templates/helper.rb`:1:
Thanks for the hard work, Jeremy.
Obviously the problem here is not with the release process, but with the fact it took so long to release a patch level version, adding up to too many changes at once.
I particularly think this xss auto escaping is a great mess. Am I alone? It’s a simple feature that will give a huge headache when upgrading apps, besides the countless problems it already gave to Rails developers. Is it too late to add a flag so it can be enabled/disabled in Rails 3 (pardon my ignorance if there is one already)? I think it should be implemented using taint / untaint.
@longdcr maybe this can help you https://rails.lighthouseapp.com/projects/8994/tickets/3779-accepts_nested_attributes_for-not-working-per-docs (ie simply change _delete for _destroy)
Still too many test suite errors — I’ll wait with upgrading until 2.3.9 or Rails 3 is released.
Just go with Ramaze, it’s much better than Rails anyway.
@Bernardo: I could not agree more. The whole XSS auto-escaping feels like the the dreaded ‘MAGIC_QUOTES’ in php. Never ever have ‘magic’ approaches to security caused anything but headaches.
They are meant to help bad programmers, and they are going to annoy good programmers. They hide obvious security problems from tests and create new, subtler ones.
What do we get next? Values that are auto-escaped against SQL, because some people don’t know how to use placeholders?
This can never work. ‘Magic’ security is a bad idea. You have to empower programmers to make good, informed decisions so they can write secure code. “Fixes” like this one do the opposite.
Yeah, this isn’t good. Rails 3.0 is an upgrade nightmare, and even this release caused all kinds of problems with escaped helpers, even though on 2.3.5 it was working fine with the orphaned 2.3.5 xss_safe plugin. I’m really getting frustrated, because I feel stuck on older versions of rails and the newer ones are problematic.
Also having the “You are being redirected” problem after upgrading from 2.3.5.
redirect_to :controller => ‘admin/menu’, :action => :first_new_admin
from within a before_filter
I also agree with you, Bernardo. I don’t like this approach at all. That being said, I haven’t tried it yet so time will tell. Regardless, I’ll also hold out for 2.3.9.
Just wanted to say +1
Tested rails_xss and it’s a complete nightmare.
2.3.8 still doesn’t work in my case since it escapes helpers that use strings and ”+” concatenation #4695.
I certainly hope Rails3 will have an opt-out version of xss protection that let’s us keep our own solutions.
Hi folks!
Avira says there is virus in installation of rubyinstaller.exe windows version.
“Virus or unwanted program ‘TR/Dropper.Gen [trojan]’ detected in file ‘C:\Ruby191\bin\is-BCGCF.tmp.”
Installing version 1.8.7 it happens the same.
I don’t understand the rails team.
A new minor version of rails 2.3 has been released after many months and its release is a complete fail.
We now have a rails 2.3 stable version that is clearly unusable for production. What are they waiting for?
PS : and I’m not even talking about rails 3 dev cycle that is also rather crappy. The time between two releases is way too long and I’m sure they’ll have the same kind of problems.
И рельсы уже не те…
Seems like the same “stellar” work being produced by DHH as normal.
I have found this auto escaping plugin really slow. Currently I’m not using it at all – instead I’m using xss_terminate for escaping user input and for me it is enough. So, migrating to 2.3.8 with my app was not so painful – I had to just add one html_safe call in one helper method. But if they are planning to make this xss_rails (or whatever it is called) default in ror3 without option to disable it then it starts to be problematic. How it feets to main goal of ror3 to make everything optional?
@Skully (18) and Matthew Horan (30), etc…..
Maybe this would help?
http://api.rubyonrails.org/classes/ActionView/Helpers/TagHelper.html#M002244
where is the 2.3.8 release notes??
We have a soccer betting game running – while everything works fine in 2.3.5 – under 2.3.8. the following costruct does weird stuff:
we have a bettingteam, that has one leader (class user) defined via leader_id – and members (class user) defined via bettingteam_id in the user.
With some updates on a plain user, the teamleader of his team is also set. Very weird. I think we are downgrading our server.
All of my tests that examine the flash are broken by 2.3.8.
Fix?
By the way: downgrading to 2.3.5 solved the strange problem detailled above.
I tried upgrading to rails 2.3.8 on two different machines, one of which runs Ubuntu (a staging server), the other Mandriva Linux (development).
On the staging server ‘redirect_to :controller => ‘another_controller’, :action => ‘index’ now causes Firefox to put up a screen with a link stating simply ‘You are being redirected’ (more or less), and if you click on the link, you finally get the page rendered by ‘another_controller/index’. Strangely this does not happen on the development server.
Also on the staging server we get the following error:
Errno::EIO (Input/output error): app/controllers/facilities_controller.rb:53:in `get_stuff’
when we execute the following line of code:
@facility = Facility.find params[:id], :include => :facility_status
This worked just fine under rails 2.3.5, and strangely, it works on the development server.
Is there a better way to report these anomalous behaviors?