Rails 3.1.2 has been released

Posted by jonleighton November 18, 2011 @ 01:51 AM

Rails 3.1.2 has been released. This is a patch-level release containing bug fixes and an important security fix.

Possible XSS vulnerability in the translate helper method in Ruby on Rails

There is a vulnerability in the translate helper method which may allow an attacker to insert arbitrary code into a page.

  • Versions Affected: 3.0.0 and later, 2.3.X in combination with the rails_xss plugin
  • Not Affected: Pre-3.0.0 releases, without the rails_xss plugin, did no automatic XSS escaping, so are not considered vulnerable
  • Fixed Versions: 3.0.11, 3.1.2

Please see the rubyonrails-security posting and the changelog item below, for more details.

Changes

Action Mailer:

  • No changes

Action Pack:

  • Fix XSS security vulnerability in the translate helper method. When using interpolation in combination with HTML-safe translations, the interpolated input would not get HTML escaped. GH 3664

    Before:

    translate('foo_html', :something => '<script>') # => "...<script>..."

    After:

    translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."

    Sergey Nartimov

  • Upgrade sprockets dependency to ~> 2.1.0

  • Ensure that the format isn't applied twice to the cache key, else it becomes impossible to target with expire_action.

    Christopher Meiklejohn

  • Swallow error when can't unmarshall object from session.

    Bruno Zanchet

  • Implement a workaround for a bug in ruby-1.9.3p0 where an error would be raised while attempting to convert a template from one encoding to another.

    Please see http://redmine.ruby-lang.org/issues/5564 for details of the bug.

    The workaround is to load all conversions into memory ahead of time, and will only happen if the ruby version is exactly 1.9.3p0. The hope is obviously that the underlying problem will be resolved in the next patchlevel release of 1.9.3.

    Jon Leighton

  • Ensure users upgrading from 3.0.x to 3.1.x will properly upgrade their flash object in session (issues #3298 and #2509)

Active Model:

  • No changes

Active Record:

  • Fix problem with prepared statements and PostgreSQL when multiple schemas are used. GH #3232

    Juan M. Cuello

  • Fix bug with PostgreSQLAdapter#indexes. When the search path has multiple schemas, spaces were not being stripped from the schema names after the first.

    Sean Kirby

  • Preserve SELECT columns on the COUNT for finder_sql when possible. GH 3503

    Justin Mazzi

  • Reset prepared statement cache when schema changes impact statement results. GH 3335

    Aaron Patterson

  • Postgres: Do not attempt to deallocate a statement if the connection is no longer active.

    Ian Leitch

  • Prevent QueryCache leaking database connections. GH 3243

    Mark J. Titorenko

  • Fix bug where building the conditions of a nested through association could potentially modify the conditions of the through and/or source association. If you have experienced bugs with conditions appearing in the wrong queries when using nested through associations, this probably solves your problems. GH #3271

    Jon Leighton

  • If a record is removed from a has_many :through, all of the join records relating to that record should also be removed from the through association's target.

    Jon Leighton

  • Fix adding multiple instances of the same record to a has_many :through. GH #3425

    Jon Leighton

  • Fix creating records in a through association with a polymorphic source type. GH #3247

    Jon Leighton

  • MySQL: use the information_schema than the describe command when we look for a primary key. GH #3440

    Kenny J

Active Resource:

  • No changes

Active Support:

  • No changes

Railties:

  • Engines: don't blow up if db/seeds.rb is missing.

    Jeremy Kemper

  • rails new foo --skip-test-unit should not add the :test task to the rake default task. GH 2564

    José Valim

As ever, you can see a full list of commits between the versions on Github.

20 comments

Comments

Leave a response

  1. xuhao@rubyfans.com on 18 Nov 03:13:

    Awesome! forking brother!

  2. dimas priyanto on 18 Nov 07:06:

    good job! updating my dev application

  3. Jane on 18 Nov 07:34:

    ERR!!! ActiveRecord 3.1.2 going very slow!!

  4. Dima on 18 Nov 09:20:

    Thanks for great job! Rails is most advanced framework.

  5. John on 18 Nov 09:44:

    1. Created a brand new 3.1.2 app. 2. Added a “pages” controller with a single “index” action. 3. Added root :to => “pages#index” 4. Fired up the development server on my windows 7 machine (ruby 1.9.3p0). 5. Navigated to 127.0.0.1:3000

    BOOM

    Note, if I perform the same steps as above with Rails 3.1.1 I don’t have any problems.

    ==========

    Sprockets::FileNotFound in Pages#index

    Showing C:/xxx/app/views/layouts/application.html.erb where line #5 raised:

    couldn’t find file ‘C:/xxx/app/assets/stylesheets’ (in C:/xxx/app/assets/stylesheets/application.css:6)

  6. Berislav on 18 Nov 10:07:

    Something is wrong with require_tree for both js and css files, it blows up the application like John above posted. Win7X64 ruby 1.9.3-p0

  7. Rolle on 18 Nov 10:57:

    Yes, blows up existing projects with Sprockets::FileNotFound in Pages#index

  8. wut on 18 Nov 12:54:

    yeah, something’s wrong with activerecord(?). after upgrading from 3.1.1 to 3.1.2, queries to mysql are running about 10 times slower :(

  9. murphy on 18 Nov 13:26:

    Would have been nice giving Domizio Demichelis some credit for pointing out this security problem a year ago: http://i18n.lighthouseapp.com/projects/14948-rails-i18n/tickets/32-the-translation-helper-is-unsafe. Thanks to Sergey Nartimov for the awesome patch!

  10. Jon Leighton on 18 Nov 13:52:

    Could those of you who are talking about this Sprockets::FileNotFound error file an issue on Github and include a test app which exhibits the problem please? I just tried the above instructions right now on Linux and it worked fine. Is it a windows specific problem?

    Same goes for any other bugs – please report on Github with instructions to reproduce.

  11. Timka on 18 Nov 14:07:

    3.1.2 gives me as well Sprockets::FileNotFound

    I have to rollback to 3.1.1 to fix it.

  12. Rolle on 18 Nov 15:04:

    https://github.com/rails/rails/issues/3679

  13. Andrew on 18 Nov 15:05:

    Looks like the FileNotFound problem is specific to windows. Win7X64, ruby-1.9.3-p0: app refuses to start unless ‘require_tree .’ is commented out. Everything works fine elswhere though.

  14. Andrew on 18 Nov 15:05:

    Looks like the FileNotFound problem is specific to windows. Win7X64, ruby-1.9.3-p0: app refuses to start unless ‘require_tree .’ is commented out. Everything works fine elswhere though.

  15. stephenmurdoch on 18 Nov 15:49:

    it’s ok on linux, thanks rails guys

  16. Mike on 18 Nov 17:01:

    Sprockets::FileNotFound looks like it’s an issue with rails sprockets on windows only, make sure when upgrading to rails 3.1.2 that sprockets is updated as well to 2.1.1

  17. luizcunhalima on 18 Nov 23:38:

    The version 3.1.2 is too slow!!! I tried to use on Windows 7 32 bits… I have rollbacked to 3.1.1.

  18. Jon on 19 Nov 19:34:

    3.1.2 working well here after running 3.1.2rc without problems as well. Thanks Rails Core for the continued great work.

  19. roger on 20 Nov 01:43:

    Sweet. Now if only I were using rails 3…

  20. WT on 20 Nov 23:04:

    Why are we at 3.1.3 already?

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals