Rails 3.0.6 has been released!

Posted by aaronp April 06, 2011 @ 12:30 AM

Hi everybody! Rails 3.0.6 has been released!

Let's get the serious business out of the way first:

Rails 3.0.6 contains an important security fix! Please upgrade!

Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The vulnerability manifests itself via the auto_link method. The auto_link method will automatically mark input strings as "html safe" even if the input is from an unknown origin.

For example:

<%= auto_link(params[:content]) %>

If the "content" parameter contains malicious javascript, that script will be rendered without being escaped.

How can I protect myself?

  • Upgrade to Rails 3.0.6, then content passed to auto_link will be automatically escaped for you.

  • If you cannot upgrade Rails, then apply the patch found here. Then auto_link content will be escaped for you.

  • If you cannot upgrade Rails, or apply the patch, then change your calls to auto_link to call sanitize like so:

    <%= sanitize(auto_link(params[:content])) %>

    If you trust the input, then change to this

    <%= raw(auto_link(params[:content])) %>

Credits

Thanks go to Torben Schulz for reporting this issue!

SERIOUS BUSINESS COMPLETE

After two release candidates, we we we so excited to announce the release of Rails version 3.0.6! I want to thank everyone that tried out the release candidates and reported their feedback! I hope that we can continue soliciting feedback from the public before releasing final versions.

LOL CHANGES!!!!

For changes in a particular package, please view the CHANGELOG in each particular project on github. Even better, you can check the compare view.

Changes of note are:

  • The above security fix in ActionPack 61ee3449674c591747db95f9b3472c5c3bd9e84d

  • Un-deprecating the reorder method in ActiveRecord 235a4142aa3fee73faa0f01e267a2b4254cea8ce

  • A backport of "cheaper attributes reads" in ActiveRecord 86acbf1cc050c8fa8c74a10c735e467fb6fd7df8

  • Correctling handling before_type_cast on timezone aware attributes 0823bbd757f3654a08d300e27873758da606f06a

  • Escaping binary data in sqlite3 inserts 7222786c15eacbd432b2bce9798d3f3459f7e05f

  • Fixing schema support for the mysql adapter eb1eac93151c1d45c3ef292d99bfcf74799185ea

This change list IS NOT exhaustive. They are just some of my favorites! For the complete list please see the CHANGELOG files or view the diff on github.

GEM CHECKSUMS

If you totally want to make sure that you've got the right gems, here are my shasums before I pushed the gems!

shasum *

  • fc7b0503bdf99d1ec08dc0dcee3677ca1dd29f0f actionmailer-3.0.6.gem
  • e8fbefd5b0a46408dd557331700ea514a4c199ab actionpack-3.0.6.gem
  • 8509520744ecd8e6712158311a16ba4782b454e2 activemodel-3.0.6.gem
  • 3b392e811ba342a5bf430d89cf4f060d119aba64 activerecord-3.0.6.gem
  • 9eea440bdf885e857ebfb5ff8e31119f76a18a4e activeresource-3.0.6.gem
  • 175ba6286f7802edeeaab30f900d87a38f516728 activesupport-3.0.6.gem
  • ebeea3c1f03db3309ea9a6640e1767ab144ff567 rails-3.0.6.gem
  • 61e24f94ea87fc58175b2067f7f6a3a8c468bfe0 railties-3.0.6.gem

IN CLOSING

Thank you for waiting for me to finish vacation before I released this! I hope that everyone enjoys this bugfix release of Rails. Next time I'll try not to vacation so much! ;-)

<3 <3 <3 <3 <3

57 comments

Comments

Leave a response

  1. Evan Walsh on 06 Apr 00:33:

    Thanks for all the hard work!

  2. Roman Ralovets on 06 Apr 00:37:

    what delight =)

  3. Brett Goulder on 06 Apr 00:46:

    That post was action-packed!

  4. Aaron Patterson on 06 Apr 00:51:

    I’m glad to help!!

    @Brett lulz!

  5. akai on 06 Apr 00:56:

    Good job!!

  6. joe lackner on 06 Apr 00:59:

    RAILS: SERIOUS BUSINESS

  7. Bernardo on 06 Apr 01:11:

    Great! Thanks for the hard work! :)

  8. anon on 06 Apr 01:33:

    we we we….is that on purpose?

  9. Bruno Barros on 06 Apr 01:33:

    so fast! good job!

  10. Simon on 06 Apr 01:36:

    Thanks for the info. You should really provide a quick mention of just how exactly rails is upgraded for those who have never done it before though.

  11. Brian on 06 Apr 01:43:

    Maybe an obvious question – but if you aren’t using auto_link is there an immediate need to upgrade?

    Is that function used internally by any other functions (excluding plugins/gems)?

  12. miguelsan on 06 Apr 01:43:

    Any chance of Decent Exposure making it for Rails 3.1? As presented by Ryan Bates (Railscast 259), it would make Rails more decoupled, drier, more beautiful, and I would bet also skinner and faster in the guts. Thumbs up for Decent Exposure!

  13. gg on 06 Apr 02:04:

    Thanks for the hard work, Do came to Malaysia on your future vacations!! We have great ppl, food and fun!

  14. cah on 06 Apr 02:16:

    Rails rocks!

  15. sdr on 06 Apr 02:33:

    Thanks for hard work!

  16. Lee on 06 Apr 03:07:

    That’s a lot of hearts at the end of that post…pink warrior must have been here.

  17. Ben on 06 Apr 03:18:

    Tripping balls.

  18. Hồ Chủ Tịch on 06 Apr 04:22:

    Cảm ơn rất nhiều, chúc holiday vui vẻ

  19. Dominik on 06 Apr 04:23:

    Thanks Torben!

  20. jonas schneider on 06 Apr 05:05:

    The patch can be directly downloaded in .patch format here:

    https://github.com/rails/rails/commit/61ee3449674c591747db95f9b3472c5c3bd9e84d.patch

  21. dan on 06 Apr 05:26:

    before_type_cast on a datetime with 3.0.6 returns a datetime. Shouldn’t it return the string that the user entered?

  22. Messiah! on 06 Apr 08:06:

    Fuck yeah!

  23. Alex on 06 Apr 09:09:

    To aaronp: how about we keep the official rails announcements free of lolspeak and the excessive use of emoticons?

  24. Adam on 06 Apr 09:21:

    Who the hell gave this guy access to post on this blog? Poor show.

  25. Anders on 06 Apr 09:29:

    Alex, Adam, please go back to Java ;)

  26. Roy Tomeij on 06 Apr 09:37:

    Can you please add “r0flc0pt3r” somewhere?

  27. Thijs on 06 Apr 09:38:

    Agree with Adam. Announcements of releases (especially with security fixes) should be to the point and serious.

  28. Ollie on 06 Apr 10:14:

    Thanks! Wee wee wee wee wee…

  29. koichirose on 06 Apr 10:59:

    It is escaping a little bit too much here, or I didn’t really understand how it works. In my User page: <%= auto_link(@user.email) %>

    What gets printed: user@email.com

    That’s not a link, it actually is printed on the page.

    If I use raw it works, though…

  30. koichirose on 06 Apr 11:09:

    Well, this blog’s comment editor messed it up, what I meant is that I actually see ‘a href…/a’ on my page.

  31. Jon on 06 Apr 12:15:

    Aaron rocks, he’s been a major contributor to Rails.

    I reckon he can express himself any respectful way he likes after all he’s given to the community.

    Thanks, Rails team!

  32. ShellOn on 06 Apr 13:35:

    Good Job!!

  33. danimata@aspgems.com on 06 Apr 14:50:

    Great!

  34. tom myer on 06 Apr 15:06:

    upgraded 4 rails apps – perfect guys!! thanks a lot, Aaron & team!

  35. Shane on 06 Apr 16:41:

    @Alex, @Adam, @Thijs: please grow sense of humor. Spunkiness and fun does not detract from substance.

  36. Kin Lum on 06 Apr 20:27:

    haha, I am number 36. congrats guys.

  37. lakshman on 07 Apr 01:35:

    Great!

  38. Zach Aysan on 07 Apr 02:00:

    You guys are great, thanks for all the continued hard work.

  39. Jens on 07 Apr 04:27:

    Great job, thanks for contributing!

  40. wxianfeng on 07 Apr 11:02:

    i first time know auto_link method , it’s so cool ~!

  41. DHH on 07 Apr 13:54:

    miguelsan, I’m personally not that big a fan of the decent exposure style. Great to see the experimentation, but I don’t foresee this going into core.

  42. hoyhoy on 08 Apr 05:03:

    After upgrading, I’m getting “Could not load SystemTimer >= v1.2.0” on Ubuntu Ubuntu 10.04.2 LTS and OS X 10.6.7.

  43. hoyhoy on 08 Apr 19:19:

    I had to add SystemTimer to my Gemfile, but it wasn’t necessary pre-3.0.6.

    gem ‘SystemTimer’, ‘1.2.3’

  44. someguy on 10 Apr 22:25:

    I too would like to see Decent Exposure, or something similar, incorporated into rails core..

  45. Bill on 11 Apr 05:47:

    Just upgraded from 3.0.5 to 3.0.6 across our four app servers and promptly had them start thrashing into swap memory. After a bit of investigation, it seems that 3.0.6 is using about 20%-40% more memory per Passenger process than 3.0.5 did. Anyone else have this occur?

  46. Scott on 11 Apr 08:06:

    Anyone else notice a performance hit in view rendering? After upgrading, a view that used to take about 500ms to render jumped to 2200ms.

  47. Josh on 12 Apr 00:45:

    I’ve noticed my rspec suite takes about 4 times longer to run with rails 3.0.6. Anyone else notice this?

  48. Stian on 12 Apr 09:55:

    Yeah, view rendering seems a whole lot slower. Any ideas what is causing this?

  49. Jordan on 13 Apr 04:52:

    @Alex omg 5 hearts and a smiley face. how ever shall we go on.

  50. Scott on 13 Apr 09:44:

    View rendering is dismally slow. Revert to 3.0.5 until it’s fixed.

  51. Bill on 13 Apr 20:57:

    @scott: My hunch with your view slowness would be that your app is now garbage collecting many times more than it had been, as this release seems to gobble up the memory at a much faster rate than 3.0.5. I’d reckon the powers that be will take a look for 3.0.7, in the meantime I’d consider 3.0.6 a mulligan.

  52. Stian on 14 Apr 06:49:

    Slowness issue (with confirmation of what causes it): https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/6695-dramatic-rendering-slowdown-from-303-to-306

  53. wizardwerdna on 14 Apr 15:07:

    Can’t successfully install rails 3.0.6. Getting a message: “File not found:lib”

    Had this problem awhile back during the 3.0 beta era. Please advise. Help?

    lawhacker:rails-3.0.6 werdna$ gem install rails Successfully installed rails-3.0.6 1 gem installed Installing ri documentation for rails-3.0.6… File not found: lib ERROR: While generating documentation for rails-3.0.6 ... MESSAGE: exit ... RDOC args:—ri—op /Users/werdna/.rvm/gems/ree-1.8.7-2011.03/doc/rails-3.0.6/ri lib—title rails-3.0.6 Documentation—quiet l

  54. nj on 14 Apr 23:08:

    (Hey @wizardwerdna! I played Wizardry all the time in college, and ran into you on a poker site awhile ago.)

    I had the same problem trying to install rails on Snow Leopard using the built-in version of Ruby (1.8.something). I built the latest stable version (1.9.2-p180) and did a re-install of rails, and it seemed to work.

  55. wizardwerdna on 15 Apr 21:07:

    Hey NJ!

    I’m using rvm, and running on REE 1.8.7. Flipping to the 1.9.2 head, rails installs fine. Thanks for that.

    I was under the impression, however, that rails was intended to support 1.8.7. Am I missing something?

  56. Peter H on 18 Apr 10:08:

    The RoR home page still lists 3.0.5 as the latest version btw.

  57. http://www.truereligionjean.net/ on 25 Apr 08:20:

    just like before, i know, i will gain more knowledge when i entry into you website.

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals