Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

• [CVE-2020-8162] Circumvention of file size limits in ActiveStorage
• [CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
• [CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
• [CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
• [CVE-2020-8167] CSRF Vulnerability in rails-ujs

Here are the checksums for 5.2.4.3:

57936c04e421d5626dae6384645d2c04c50fade9  actioncable-5.2.4.3.gem
b9574346692494c816ba90c6c9f882e7535d3d6e  actionmailer-5.2.4.3.gem
d9abd6496bb593bcd6ded01eb2970d6c68591913  actionpack-5.2.4.3.gem
94b6025625aaf8a58271f29a8fcf2ab731bb2ba5  actionview-5.2.4.3.gem
261537dfe4b9becacadb97b5a4b1745a1a2ad88e  activejob-5.2.4.3.gem
3152765c56701234d56505be6f9f335686335d42  activemodel-5.2.4.3.gem
2db5dfbeb0860c4287fe1f6f7f4d180213c95393  activerecord-5.2.4.3.gem
80d1942082dfac378fa2446c4d9b90b59a209b16  activestorage-5.2.4.3.gem
1bfd68dcae101feb5a6414f3d449de07f179366b  activesupport-5.2.4.3.gem
27a4883d96f4bdfb67f89194e55f72c80ded8bcb  rails-5.2.4.3.gem
0ca72c6ab581f088394096f28290cb3fcc5abed6  railties-5.2.4.3.gem

Here are the checksums for 6.0.3.1:

7a791c75121a2d291c940c42dee32bab6f79b28d  actioncable-6.0.3.1.gem
8ab6c70bb51c65365f0ecf45bc313a92538bdc51  actionmailbox-6.0.3.1.gem
32abbd8b860e0eb4dc6ddc7eb91229f138f41be5  actionmailer-6.0.3.1.gem
b4e2f362f9e3f64c463f13a355c91eac4faf5c3c  actionpack-6.0.3.1.gem
d2830250080c6ddfce32d7eed3b5e06868593679  actiontext-6.0.3.1.gem
d6fd791dd17410eedc792a83114bd2226d809081  actionview-6.0.3.1.gem
d93fa09175cd3a4260aaa04576405caeaea5c722  activejob-6.0.3.1.gem
751083db939d5b00ee66e383688365f06221b9a5  activemodel-6.0.3.1.gem
799344ebdf08a45c56ace16e3f124d4e2a0ecc46  activerecord-6.0.3.1.gem
5066a273cc46d7a71e69f34c6d17b1f0eeac74ef  activestorage-6.0.3.1.gem
637121aaab5d88902f686d64e86fd4b4967b2031  activesupport-6.0.3.1.gem
faebc6a2d71d81b8fdababff057b91bea2bba47e  rails-6.0.3.1.gem
5dacf3de55b1c1aa6f9f31b346e963a3745a15d2  railties-6.0.3.1.gem

Stay safe, and have a great day everyone!

Due to an unfortunate oversight, Rails 4.2.11.2 has a missing constant error. To address this Rails 4.2.11.3 has been released.

The original announcement for CVE-2020-8163 has a follow-up message with an updated patch if you’re unable to use the gems.

Here are the shas:

$ sha256sum *-4.2.11.3.gem
229cd7da59bd26faf3e9d67a8285150e6eba6f63e077392b68d93b02a06cfd34  actionmailer-4.2.11.3.gem
67e84b5fcde0b2d885987a444646fb4d741926fd565565a336e73c5153e7a5a4  actionpack-4.2.11.3.gem
3be3f1ab60f518415da2fab994eac7d4ad869ea6b89762b7c1a9922e0756963e  actionview-4.2.11.3.gem
cab80c01aa01e0856c506c9a1fc7e492ca5e93c45ac917f9ea3671f8c77016ae  activejob-4.2.11.3.gem
97b94190b4a2c1ccfaa9727a445d2b157dac8378959c37df3b51a0aafb3967fc  activemodel-4.2.11.3.gem
cd6c8445c0b4ee3c89ec382149c0e7d44148d179092f69d8ec333be1fc4efcba  activerecord-4.2.11.3.gem
515015c5b8c7b35af33f5911c14248b06438c25fda60905965ba8d3c2237e372  activesupport-4.2.11.3.gem
7502ee83259abce924803052e34f3a9d072b01050e41e2ae94a22ddfd16d9686  rails-4.2.11.3.gem
f33ac1fc4e3dff3f35369caaf7ca21ace876637fabba9d05e512bfc06379c789  railties-4.2.11.3.gem

Apologies to anyone affected by this error.

Hey everyone! Rails 4.2.11.2 has been released! It contains one patch to address CVE-2020-8163. You can see the patch here.

Here are the shas:

[aaron@tc-lan-adapter ~/g/r/pkg (4-2-stable)]$ shasum *
83032b4c875aabfda864c66cb93b813630709296  actionmailer-4.2.11.2.gem
b5abffff073b64b9ad8898f6872bb6136e065db8  actionpack-4.2.11.2.gem
e7946643d107c48798430fb009b1461361365a9e  actionview-4.2.11.2.gem
3950245af83ed510c8627840a4f22433650c76b7  activejob-4.2.11.2.gem
d8143e3b39ae1db75b8ae38cd9deb89f775dfd8e  activemodel-4.2.11.2.gem
178b5c42128cca057fa092c0c470327e5ee1fd36  activerecord-4.2.11.2.gem
419a5082a5fcdf5e586991ae882c8a7c309fbb82  activesupport-4.2.11.2.gem
0f1f6de79761559fa9152a07373993a8dddf7a3e  rails-4.2.11.2.gem
e8607553f3fec597423eea77722dd6a59060a827  railties-4.2.11.2.gem

Happy Friday everyone!

This is Greg and Wojtek bringing you the latest news about Rails in these crazy times.

A May of WTFs

Have you ever lost time on some strange Rails issue? Would you like to make it go away, so the others won’t do the same? It is an initiative running this month to improve Rails, especially for the first time users. Check the details and help making Rails better!

RailsConf - Couch Edition

This year RailsConf took place online. You can already watch all the videos. Take a look at the official announcement or jump straight to the playlist here.

Rails 6.0.3 has been released

This version fixes warnings when used with Ruby 2.7 altogether with many other framework bug fixes.

Instrument layout rendering

With this addition it is possible to listen on more specific action view layout rendering instrumentation.

Inspect time attributes with subsec

Before:

#<Knot id: 1, created_at: "2016-05-05 01:29:47">

After:

#<Knot id: 1, created_at: "2016-05-05 01:29:47.116928000">

Test file patterns configurable via Environment variables

It is now possible to control which test files to execute by setting DEFAULT_TEST or DEFAULT_TEST_EXCLUDE environment variables.

Fix aggregate functions to return numeric value consistently even on custom attribute type

Count and average always returns a numeric value, but sum, maximum, and minimum did not always return a numeric value if aggregated on a custom attribute type.

Deprecate passing a column to type_cast

The type information for type casting is entirely separated to type object, so if anyone does passing a column to type_cast in Rails 6, they are likely doing something wrong. See the PR for a more thorough explanation.

Deprecate allowed_index_name_length and in_clause_length in DatabaseLimits

In the past, the SQLite3 adapter relied on allowed_index_name_length, but it is no longer needed so it got deprecated. in_clause_length also got deprecated in https://github.com/rails/rails/pull/39057.

38 people contributed since our last issue. You can check the full list of changes. Keep safe out there!

The bar for reporting a bug to the Rails project can be pretty steep. You’re expected to carefully diagnose the problem, preferably propose a solution, include detailed reproduction steps, and all the other homework that makes it possible for a project like Rails to deal with hundreds if not thousands of reports on a yearly basis.

While this is a reasonable process for collecting actionable reports that a small group of contributors can reasonably triage, it’s not a great process at all for learning about all the the potholes, the roadblocks, and the roundabouts that make your journey that much more uncomfortable or take longer. That stuff just gets swallowed up by the sinkhole of grievances (have I exhausted the metaphor yet?! 😂).

So when Avdi took to air some of those grievances on Twitter, the natural thing happened that always happens when you feel your work is attacked: The core contributor group got defensive! That’s a mischaracterization! Where are the completed bug reports!? You know the drill, if you’ve ever worked on something, poured your heart into it, and then seen it criticized online. There’s that immediate, knee-jerk reaction of a sting. But it doesn’t have to sting.

“Between stimulus and response there is a space. In that space is our power to choose our response. In our response lies our growth and our freedom” – Victor Frankl

We’re now choosing that response to be something different than the typical response to a perceived slight. Our response will be that of growth, and its essence is that Avdi’s frustrations are broad frustrations, they’re valid frustrations. They’re perhaps not yet in an actionable form, like we’re used to with perfectly described bug reports, but we can turn them into that! Together!

And even more, we can accept that Avdi’s frustrations are not anywhere near broad enough to cover all the frustrations. So we can ask for more! In a structured way, under a new paradigm of inquiry, and we can make Ruby on Rails better together. That sounds pretty good, no?

So that’s what we’re doing! We started a small group to involve Avdi, Betsy, and others who’ve expressed grievances or interest in those grievances to work together. And the first project to come out of this group is what we’re calling A May of WTFs. It’s a new category on the Ruby on Rails discussion forum, and it’s going to be a safe space for those WTFs you weren’t going to turn into formal bug reports. It’s going to be timeboxed to the month of May. And it’s going to run under the championship of Betsy Haibel. So I’ll let her set the terms of engagement:

We all lose time to “Rails WTFs.” Something goes weird in our Rails process, and we spend four hours frantically reading Stack Overflow before it finally occurs to us to restart Spring. Or we make one silly typo and it causes the autoloader to lose track of an entirely different class.

It can be hard to write bug reports for a WTF. When it’s difficult to understand what triggered it an issue, or what fixed it, nailing down a good reproduction seems impossible. And who wants to go to that effort when they’ve just spent hours staring at byebug and cursing computers?

This May, the Rails team is going to be tackling some of these WTFs – which means we need you to tell us about them! Send us your strangest Rails 6 stories, even if you don’t really understand what triggered them or remember how you fixed it. Provide as much detail as you can – but don’t worry over what you can’t. We’ll be looking through all of this for patterns that will let us improve Rails (or at least its error messages) for everyone.

So please, come join us in a May of WTFs. Help Betsy, Avdi, and everyone else who’s interested in transforming the raw energy of frustrations into gleaming patches to documentation, error messages, or even APIs. We’ll take WTFs as input and produce 💖 as output.

Hi everyone,

I am happy to announce that Rails 6.0.3 has been released. This version fixes warnings when used with Ruby 2.7.

CHANGES since 6.0.2

To view the changes for each gem, please read the changelogs on GitHub:

• Action Cable CHANGELOG
• Action Mailbox CHANGELOG
• Action Mailer CHANGELOG
• Action Pack CHANGELOG
• Action Text CHANGELOG
• Action View CHANGELOG
• Active Job CHANGELOG
• Active Model CHANGELOG
• Active Record CHANGELOG
• Active Storage CHANGELOG
• Active Support CHANGELOG
• Railties CHANGELOG

To see a summary of changes, please read the release on GitHub:

6.0.3 CHANGELOG

Full listing

To see the full list of changes, check out all the commits on GitHub.

SHA-256

If you’d like to verify that your gem is the same as the one I’ve uploaded, please use these SHA-256 hashes.

Here are the checksums for 6.0.3:

$ shasum -a 256 *-6.0.3.gem
fe6b115017a16527a535088141ceaf465899cb7e4da2cc3dece30d59c2f66b53  actioncable-6.0.3.gem
58bd373233d0d70056de073b5ae0b84b598204c651712f450107294807ea9bdb  actionmailbox-6.0.3.gem
b922a6f15388275e095c4ef2e14a1581bbd84a006bb58242ba652a068304a499  actionmailer-6.0.3.gem
d6d9e228ac083ed9c62e8ea7470cadeebbb77998e523e0ef0902e532342c08ed  actionpack-6.0.3.gem
121c7774a0c9b581e681e84fcb34e8af6e2525e4195a1b815d3407dd77518803  actiontext-6.0.3.gem
f8a82d4f9e925cd9bb208ab5f37f91b297fe260b6fab9df2df99844341c9ce68  actionview-6.0.3.gem
eb3c4e63e96dc3f6746e245479a8e67c0d5b8316c0f034aa98c82a1975b825e3  activejob-6.0.3.gem
1f578a8ac1e111e4770c787d99ec432243ecbfee9593482eef0fadcdbae2295e  activemodel-6.0.3.gem
3bc7bef0857854609ac0e249467a2909f23042b6897284302b148018c84175f2  activerecord-6.0.3.gem
8ed4f462195c5460c3086e57e3441321f832fc396631bb76b8fd1d0cae18c8fb  activestorage-6.0.3.gem
460c7dc137d98409d9964b1216a67572d32904454f55a44f59fdf9d43b19106a  activesupport-6.0.3.gem
399039af4ca160751f87505e13d1a000dfb65e15e4d86601eb34070b85fc73e7  rails-6.0.3.gem
5163bf5652c4419cebb699cd1d723a9b80236bce70e25b1bc2f5d3bab78b0206  railties-6.0.3.gem

As always, huge thanks to the many contributors who helped with this release.

Hi everyone,

I am happy to announce that Rails 6.0.3.rc1 has been released.

If no regressions are found, expect the final release on Wednesday, May 6, 2020. If you find one, please open an issue on GitHub and mention me (@rafaelfranca) on it, so that we can fix it before the final release.

CHANGES since 6.0.2

To view the changes for each gem, please read the changelogs on GitHub:

• Action Cable CHANGELOG
• Action Mailbox CHANGELOG
• Action Mailer CHANGELOG
• Action Pack CHANGELOG
• Action Text CHANGELOG
• Action View CHANGELOG
• Active Job CHANGELOG
• Active Model CHANGELOG
• Active Record CHANGELOG
• Active Storage CHANGELOG
• Active Support CHANGELOG
• Railties CHANGELOG

To see a summary of changes, please read the release on GitHub:

6.0.3.rc1 CHANGELOG

Full listing

To see the full list of changes, check out all the commits on GitHub.

SHA-256

If you’d like to verify that your gem is the same as the one I’ve uploaded, please use these SHA-256 hashes.

Here are the checksums for 6.0.3.rc1:

$ shasum -a 256 *-6.0.3.rc1.gem
582a8303c42d9212bbdfed89dc03c795222240cf63172994af9b1cb53e7d7856  actioncable-6.0.3.rc1.gem
3a3c22c0e4c8ec04a201b96924aca7cc578a00c9dca173e65d86ff10f7a2ca0e  actionmailbox-6.0.3.rc1.gem
037d2c522920b384e4faa54e0f3c05f082421a982db46d91968214e592f95e79  actionmailer-6.0.3.rc1.gem
7e6dc42ff9c0ad6d332a558f6b4216647eae9b799c4e671e7c55abf879a9b4d9  actionpack-6.0.3.rc1.gem
3a8009d4fcb4d8b1b54e251d577f4ad84a27a78876b2ed3f639140e90f4e783b  actiontext-6.0.3.rc1.gem
9a66e602199f4c6a79656e14a314b0026e674f8bb48fa316773484e354ccb291  actionview-6.0.3.rc1.gem
4c39f2a3df77837a3270c04af3a8dccbfa3884240aa6b4b4cdd153b8b702719c  activejob-6.0.3.rc1.gem
c22bcffaf22e343013866d2027dce45472000bd5def1fa96fddf3b02249c1d63  activemodel-6.0.3.rc1.gem
98dbea5db16b2857931fcb252858ff004c5cc1ceebd560cfc20962d785d565e2  activerecord-6.0.3.rc1.gem
aeaf6cdaa8019a451d28487cf1fb32b2818e03a18a147d11b55ef9ade110266c  activestorage-6.0.3.rc1.gem
9be7ec1f69d254ab6379bff92dec8c4852ca6fc0c7bd14d3fb94e71ce7091643  activesupport-6.0.3.rc1.gem
bd2558f622b5c02f3eb40514f861465c24cec0e2903cd6edf3a89da6dfa6c0f0  rails-6.0.3.rc1.gem
98b6b32f0839ba156f6cd5633666ceb816190fc6f5d73af5bee9b4288d5f8428  railties-6.0.3.rc1.gem

As always, huge thanks to the many contributors who helped with this release.

Daniel here, holed up in my apartment in New York City trying to stay healthy. Overwhelmed by all the latest pandemic news? Why not take a break with some exciting Rails news?

Security Fixes

Rails 6.0.2.2 and 5.2.4.2 were recently released to fix a XSS vulnerability in Action View. If you are not running one of these versions, it is time to upgrade. While you are at it, it is also time to upgrade to Ruby 2.5.8, 2.6.6, or 2.7.1.

Ruby on Rails on Discourse

The Ruby on Rails mailing list has migrated to https://discuss.rubyonrails.org/. If you would like to suggest changes or new features, discuss documentation, or ask questions about Rails, this is the place to be.

Annotate HTML output with template names

If you have ever opened your HTML source in the browser and wondered which templates were rendering which part of the page, this feature is for you. config.action_view.annotate_template_file_names adds HTML comments to the rendered output indicating where each template begins and ends. I am a fan of this feature, and I also like the clear problem statement in the commit message and PR description.

Quickly generate a Rails app pointing to master

If you are anything like me, you want to try out new Rails features the moment they are merged. Why wait? Now generating a new Rails app pointing to master is as simple as rails new <app_name> --master.

Just simply improve the documentation

Removing words like “just” and “simple” from the documentation might seem like a small change, but removing these superfluous words can make for a significantly more welcoming experience to folks who are struggling. 😍

Use index_by and index_with wherever possible

I haven’t used index_by and index_with before, but seeing this PR makes me want to try them out. It certainly looks nicer than map { ... }.to_h. And if you really like these methods you can enforce that with a new rubocop-rails cop.

And plenty of refactoring

Eileen refactored invert_predicate and fetch_attribute to get rid of some case statements in factor of a more object oriented approach. Aaron refactored the PartialRenderer, splitting out classes for rendering single objects and collections. John improved some things by making ActionView rendering instrumentation less DRY (sometimes WET code is better!).

106 people contributed since our last issue. Check out the full list of changes and Stay healthy out there!

Update

I accidentally posted the wrong shas for the 5.2.4.2 release in the original version of this post. I’ve updated the post to reflect the correct information.

Hi everyone,

HAPPY THURSDAY EVERYONE!!!!

I am pleased to announce that Rails 6.0.2.2 and 5.2.4.2 have been released. This release contains a security fix for CVE-2020-5267. You can find out more about the issue here.

For ease of upgrade, these releases only contain one patch which addresses the security issue.

If you would like to see the full list of changes, you can check out all of the commits on GitHub.

• Here are all the changes for 6.0.2.2.
• Here are all the changes for 5.2.4.2.

SHA-256

If you’d like to verify that your gem is the same as the one I’ve uploaded, please use these SHA-256 hashes.

Here are the checksums for 6.0.2.2:

b2170b2b670e9f3d8a355a7ad78dabe996b7290c3e1a0390cc8782fabd1a93cd  actioncable-6.0.2.2.gem
c5f6d4bb2b083de45c547089addb351c01bb6c29c8789f447bca19f34f05223e  actionmailbox-6.0.2.2.gem
baf2a7d294b0f5cff209f754e877eeebb9263115c3f91bf91255733beb9df84f  actionmailer-6.0.2.2.gem
58c0f04386b014e5d4a8a1c1a48a9a67f3fb38243a3be74d7201dc18d68de25c  actionpack-6.0.2.2.gem
872fb41b79794eaa9d1007e4b2e73cfa031ab2a47e5ee8cdae362518d917fed9  actiontext-6.0.2.2.gem
5e43aae3f0f6961d5dd85002147cccf2dbadfe88f41725d874a1b42e76bd7117  actionview-6.0.2.2.gem
7ed215efd26e335d8ce56dbf141b735548e33bf6cf9e953f22558e370d4b3fe3  activejob-6.0.2.2.gem
35559978a7641c85d47709c7c3b75fcc456b1ec882631ffeba82e8a4e12f99cd  activemodel-6.0.2.2.gem
4c6aae2cfa9d19ac9901c3b2514fb1c3ccd82b61839f2b52d6711edc00013c80  activerecord-6.0.2.2.gem
818c65056c5e58df009bdd89fef099e3b4abcd99f4836360713b646dfb60715e  activestorage-6.0.2.2.gem
8b73152669af7b8e3840e16052d6d951620e07c63bfc650bae88e5b86643a9d5  activesupport-6.0.2.2.gem
4b789dc6d942e133032485169aa30553482b528ffea5dd52a3bab853fca0c822  rails-6.0.2.2.gem
5b9d0d0a814ce9f5061aabd24d31e7bcc6864f6fa16565c1b3d9dc646c6b9ab1  railties-6.0.2.2.gem

Here are the checksums for 5.2.4.2:

$ shasum -a 256 *-5.2.4.2.gem
bbb8c0cd649eabec75a86f7750e264f0e20335cfadb1c6901427d9401af28b60  actioncable-5.2.4.2.gem
bf2c0b60db93a6e7a86483f791ce631564ec0182270851ae83bd72e4bdb2e24d  actionmailer-5.2.4.2.gem
5df1b1a9e70f959a9b00087bef01893dc4c2fc15a8d040a827daf6844d4c34f0  actionpack-5.2.4.2.gem
97227c123908b84fface498ed50d755c12408037440380ee4b8b9a208cafe33a  actionview-5.2.4.2.gem
71df9fd6b723b1bb97e71329179ac1e2b5f8173ec6de5dd33937639e135a5be3  activejob-5.2.4.2.gem
b109119b3de473ebb24c4a85fcf9462ee052b83d647cd00c922ed609c06e8e49  activemodel-5.2.4.2.gem
e5d6db49d48018bf54133f6155a635e4de69f73dbbef6cb8cc79223604cc58f9  activerecord-5.2.4.2.gem
49a3b1c7cfe3fddb409df595b372d1077cf67536c4a3ba635e642676c2fda1b4  activestorage-5.2.4.2.gem
8c3ae3df5b08b49b6b5d9c5028da1a1e582f1243b7362dbb9736f65ede492378  activesupport-5.2.4.2.gem
44ab2836290ef259ed12fc6a24c1e62e317a534b79c37c0d1a8ec7ef893513f5  rails-5.2.4.2.gem
26b44b3d6c650d64ea2496c3328b9092efef5101ed953a660a93e2d643b359dc  railties-5.2.4.2.gem

Thanks to Jesse Campos for reporting this issue!

Have a good day!

Greetings, all! Daniel here, together with my pup (🐶 woof!) bringing you the latest news in Rails.

Add support for horizontal sharding

The good folks at GitHub have done an incredible amount of work to support multiple databases in Rails. This week brings horizontal sharding. Rails applications can now connect to and (manually) switch between multiple shards.

Support gzip for the schema cache

Katrina continues to work on the schema cache, this time by adding gzip support for both the YAML and the Marshal serialization strategies. This can come in handy when trying to deploy particularly large schemas in constrained environments.

Add additional multi-database rake tasks

It is now possible to run rails db:schema:dump, rails db:schema:load, rails db:structure:dump, rails db:structure:load and rails db:test:prepare on a specific database. This was previously only possible for rails db:create, rails db:drop, and rails db:migrate. Excellent work on your first few commits to Rails, Kyle!

Eliminate a hash allocation when rendering templates

I included this one for the commit message more than for the code change itself. The benchmark taught me a bit about Action Controller, Action View, and how to write a good benchmark.

That’s all for now. 18 people contributed since last time, including some first-time contributors. Check out the full list of changes.