[ANN] Rails 3.2.13.rc1 has been released!

Hey everyone! I am pumped to announce that Rails 3.2.13.rc1 has been released! If no regressions are found I will release 3.2.13 final in two weeks, on March 13, 2013. If you find one, please Open an Issue on GitHub so that I can fix it before the final release.

This is a bugfix release, with 287 commits. There is one big thing that is technically a fix but is sort of a feature: Ruby 2.0 support. Big thanks to Prem Sichanugrist for putting that together! Please give your applications a try on Ruby 2.0 and let me know how that goes.

CHANGES since 3.2.12

Action Mailer

No changes.

Action Pack

  • Determine the controller#action from only the matched path when using the shorthand syntax. Previously the complete path was used, which led to problems with nesting (scopes and namespaces). Fixes #7554. Backport #9361.


    # this will route to questions#new
    scope ':locale' do
      get 'questions/new'

    Yves Senn

  • Fix assert_template with render :stream => true. Fix #1743. Backport #5288.

    Sergey Nartimov

  • Eagerly populate the http method loookup cache so local project inflections do not interfere with use of underscore method ( and we don’t need locks )

    Aditya Sanghi

  • BestStandardsSupport no longer duplicates X-UA-Compatible values on each request to prevent header size from blowing up.

    Edward Anderson

  • Fixed JSON params parsing regression for non-object JSON content.

    Dylan Smith

  • Prevent unnecessary asset compilation when using javascript_include_tag on files with non-standard extensions.

    Noah Silas

  • Fixes issue where duplicate assets can be required with sprockets.

    Jeremy Jackson

  • Bump rack dependency to 1.4.3, eliminate Rack::File headers deprecation warning.

    Sam Ruby + Carlos Antonio da Silva

  • Do not append second slash to root_url when using trailing_slash: true

    Fix #8700. Backport #8701.

    Example: # before root_url # => http://test.host//

    # after
    root_url # => http://test.host/

    Yves Senn

  • Fix a bug in content_tag_for that prevents it for work without a block.


  • Clear url helper methods when routes are reloaded by removing the methods explicitly rather than just clearing the module because it didn’t work properly and could be the source of a memory leak.

    Andrew White

  • Fix a bug in ActionDispatch::Request#raw_post that caused env['rack.input'] to be read but not rewound.

    Matt Venables

  • More descriptive error messages when calling render :partial with an invalid :layout argument.

    Fixes #8376.

    render :partial => 'partial', :layout => true
    # results in ActionView::MissingTemplate: Missing partial /true

    Yves Senn

  • Accept symbols as #send_data :disposition value. [Backport #8329] Elia Schito

  • Add i18n scope to distance_of_time_in_words. [Backport #7997] Steve Klabnik

  • Fix side effect of url_for changing the :controller string option. [Backport #6003] Before:

    controller = '/projects'
    url_for :controller => controller, :action => 'status'
    puts controller #=> 'projects'


    puts controller #=> '/projects'

    Nikita Beloglazov + Andrew White

  • Introduce ActionView::Template::Handlers::ERB.escape_whitelist. This is a list of mime types where template text is not html escaped by default. It prevents Jack & Joe from rendering as Jack & Joe for the whitelisted mime types. The default whitelist contains text/plain. Fix #7976 [Backport #8235]

    Joost Baaij

  • BestStandardsSupport middleware now appends it’s X-UA-Compatible value to app’s returned value if any. Fix #8086 [Backport #8093]

    Nikita Afanasenko

  • prevent double slashes in engine urls when Rails.application.default_url_options[:trailing_slash] = true is set Fix #7842

    Yves Senn

  • Fix input name when :multiple => true and :index are set.


    check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
    #=> <input name=\"post[foo][comment_ids]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids]\" type=\"checkbox\" value=\"1\" />


    check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
    #=> <input name=\"post[foo][comment_ids][]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids][]\" type=\"checkbox\" value=\"1\" />

    Fix #8108

    Daniel Fox, Grant Hutchins & Trace Wax

Active Model

  • Specify type of singular association during serialization Steve Klabnik

Active Record

  • Reverted 921a296a3390192a71abeec6d9a035cc6d1865c8, ‘Quote numeric values compared to string columns.’ This caused several regressions.

    Steve Klabnik

  • Fix overriding of attributes by default_scope on ActiveRecord::Base#dup.

    Hiroshige UMINO

  • Fix issue with overriding Active Record reader methods with a composed object and using that attribute as the scope of a uniqueness_of validation. Backport #7072.

    Peter Brown

  • Sqlite now preserves custom primary keys when copying or altering tables. Fixes #9367. Backport #2312.

    Sean Scally + Yves Senn

  • Preloading has_many :through associations with conditions won’t cache the :through association. This will prevent invalid subsets to be cached. Fixes #8423. Backport #9252.


    class User
      has_many :posts
      has_many :recent_comments, -> { where('created_at > ?', 1.week.ago) }, :through => :posts
    a_user = User.includes(:recent_comments).first
    # this is preloaded
    # fetching the recent_comments through the posts association won't preload it.

    Yves Senn

  • Fix handling of dirty time zone aware attributes

    Previously, when time_zone_aware_attributes were enabled, after changing a datetime or timestamp attribute and then changing it back to the original value, changed_attributes still tracked the attribute as changed. This caused [attribute]_changed? and changed? methods to return true incorrectly.


    in_time_zone 'Paris' do
      order = Order.new
      original_time = Time.local(2012, 10, 10)
      order.shipped_at = original_time
      order.changed? # => false
      # changing value
      order.shipped_at = Time.local(2013, 1, 1)
      order.changed? # => true
      # reverting to original value
      order.shipped_at = original_time
      order.changed? # => false, used to return true

    Backport of #9073 Fixes #8898

    Lilibeth De La Cruz

  • Fix counter cache columns not updated when replacing has_many :through associations. Backport #8400. Fix #7630.

    Matthew Robertson

  • Don’t update column_defaults when calling destructive methods on column with default value. Backport c517602. Fix #6115.

    Piotr Sarnacki + Aleksey Magusev + Alan Daud

  • When #count is used in conjunction with #uniq we perform count(:distinct => true). Fix #6865.


    relation.uniq.count # => SELECT COUNT(DISTINCT *)

    Yves Senn + Kaspar Schiess

  • Fix ActiveRecord::Relation#pluck when columns or tables are reserved words. Backport #7536. Fix #8968.

    Ian Lesperance + Yves Senn + Kaspar Schiess

  • Don’t run explain on slow queries for database adapters that don’t support it. Backport #6197.

    Blake Smith

  • Revert round usec when comparing timestamp attributes in the dirty tracking. Fixes #8460.

    Andrew White

  • Revert creation of through association models when using collection=[] on a has_many :through association from an unsaved model. Fix #7661, #8269.

    Ernie Miller

  • Fix undefined method to_i when calling new on a scope that uses an Array; Fix FloatDomainError when setting integer column to NaN. Fixes #8718, #8734, #8757.

    Jason Stirk + Tristan Harward

  • Serialized attributes can be serialized in integer columns. Fix #8575.

    Rafael Mendonça França

  • Keep index names when using alter_table with sqlite3. Fix #3489. Backport #8522.

    Yves Senn

  • Recognize migrations placed in directories containing numbers and ‘rb’. Fix #8492. Backport of #8500.

    Yves Senn

  • Add ActiveRecord::Base.cache_timestamp_format class attribute to control the format of the timestamp value in the cache key. This allows users to improve the precision of the cache key. Fixes #8195.

    Rafael Mendonça França

  • Add :nsec date format. This can be used to improve the precision of cache key. Please note that this format only works with Ruby 1.9, Ruby 1.8 will ignore it completely.

    Jamie Gaskins

  • Unscope update_column(s) query to ignore default scope.

    When applying default_scope to a class with a where clause, using update_column(s) could generate a query that would not properly update the record due to the where clause from the default_scope being applied to the update query.

    class User < ActiveRecord::Base
      default_scope where(active: true)
    user = User.first
    user.active = false
    user.update_column(:active, true) # => false

    In this situation we want to skip the default_scope clause and just update the record based on the primary key. With this change:

    user.update_column(:active, true) # => true

    Backport of #8436 fix.

    Carlos Antonio da Silva

  • Fix performance problem with primary_key method in PostgreSQL adapter when having many schemas. Uses pg_constraint table instead of pg_depend table which has many records in general. Fix #8414


  • Do not instantiate intermediate Active Record objects when eager loading. These records caused after_find to run more than expected. Fix #3313 Backport of #8403

    Yves Senn

  • Fix pluck to work with joins. Backport of #4942.

    Carlos Antonio da Silva

  • Fix a problem with translate_exception method in a non English environment. Backport of #6397.


  • Fix dirty attribute checks for TimeZoneConversion with nil and blank datetime attributes. Setting a nil datetime to a blank string should not result in a change being flagged. Fixes #8310. Backport of #8311.

    Alisdair McDiarmid

  • Prevent mass assignment to the type column of polymorphic associations when using build. Fixes #8265. Backport of #8291.

    Yves Senn

  • When running migrations on Postgresql, the :limit option for binary and text columns is silently dropped. Previously, these migrations caused sql exceptions, because Postgresql doesn’t support limits on these types.

    Victor Costan

  • #pluck can be used on a relation with select clause. Fixes #7551. Backport of #8176.


    Topic.select([:approved, :id]).order(:id).pluck(:id)

    Yves Senn

  • Use nil? instead of blank? to check whether dynamic finder with a bang should raise RecordNotFound. Fixes #7238.

    Nikita Afanasenko

  • Fix deleting from a HABTM join table upon destroying an object of a model with optimistic locking enabled. Fixes #5332.

    Nick Rogers

  • Use query cache/uncache when using ENV[“DATABASE_URL”]. Fixes #6951. Backport of #8074.


  • Do not create useless database transaction when building has_one association.


    User.has_one :profile

    Backport of #8154.

    Bogdan Gusiev

  • AR::Base#attributes_before_type_cast now returns unserialized values for serialized attributes.

    Nikita Afanasenko

  • Fix issue that raises NameError when overriding the accepts_nested_attributes in child classes.


    class Shared::Person < ActiveRecord::Base
      has_one :address
      accepts_nested_attributes :address, :reject_if => :all_blank
    class Person < Shared::Person
      accepts_nested_attributes :address
    #=> NameError: method `address_attributes=' not defined in Person


    #=> Person(id: integer, ...)

    Fixes #8131.

    Gabriel Sobrinho, Ricardo Henrique

Active Resource

No changes.

Active Support

  • Fix DateTime comparison with DateTime::Infinity object.

    Dan Kubb

  • Remove surrogate unicode character encoding from ActiveSupport::JSON.encode The encoding scheme was broken for unicode characters outside the basic multilingual plane; since json is assumed to be UTF-8, and we already force the encoding to UTF-8 simply pass through the un-encoded characters.

    Brett Carter

  • Fix mocha v0.13.0 compatibility. James Mead

  • #as_json isolates options when encoding a hash. [Backport #8185] Fix #8182

    Yves Senn

  • Handle the possible Permission Denied errors atomic.rb might trigger due to its chown and chmod calls. [Backport #8027]

    Daniele Sluijters


No changes.

Full listing

To see the full list of changes, check out all the commits on GitHub.


If you’d like to verify that your gem is the same as the one I’ve uploaded, please use these SHA-1 hashes:

  • 6a33c2d10abb5512499addb675df658e179f2e79 actionmailer-3.2.13.rc1.gem
  • 11d8303470698c5b0ac68f187a15093c07383c89 actionpack-3.2.13.rc1.gem
  • a72dafd8b1e3372cc4dda9015b93bf5509b25baa activemodel-3.2.13.rc1.gem
  • 3c6463ab11658b5ab0fe6a4ad06eb52968ef4492 activerecord-3.2.13.rc1.gem
  • 06cec200b95dc1f64614cd03432e9ab06742a865 activeresource-3.2.13.rc1.gem
  • 5ff59cacae5295baf30a6fb8fb656037f22af3c2 activesupport-3.2.13.rc1.gem
  • facf4549445922d9dc2a836283ae928fa52df4f8 rails-3.2.13.rc1.gem
  • 55e44f621efbf531d9ccade6d27259f7dabae167 railties-3.2.13.rc1.gem


Rails 4.0: Beta 1 released!

Hot on the heels of the first production version of Ruby 2.0 comes the first beta version of Rails 4.0. The two form a great pair and are already running in production on a number of applications, including Basecamp Breeze. In fact, Ruby 2.0 is the preferred Ruby to use with Rails 4.0.

The purpose of this beta is to get as many people as possible to try to upgrade from Rails 3.2 and earlier and to get an adventurous few to start new applications directly on Rails 4.0. That’s the only way we’re going to suss out all the issues and ensure that we can launch a solid final release. So please help us with that if you can!

Rails 4.0 is packed with new goodies and farewells to old goodies past their expiration date.

A big focus has been on making it dead simple to build modern web applications that are screaming fast without needing to go the client-side JS/JSON server route. Much of this work was pioneered for Rails in the new version of Basecamp and focuses on three aspects:

  1. Make it super easy to do Russian Doll-caching through key-based expiration with automatic dependency management of nested templates (explored first in the cache_digests plugin).
  2. Speed-up the client-side with Turbolinks, which essentially turns your app into a single-page javascript application in terms of speed, but with none of the developmental drawbacks (except, maybe, compatibility issues with some existing JavaScript packages).
  3. Declarative etags makes it even easier to ensure you’re taking advantage of HTTP freshness.

Rails is of course still a great JSON server for people who want to build client-side JS views, but with the progress we’ve made for Rails 4.0, you certainly won’t need to go down that route just to have a super fast application.

We’ve also added live streaming for persistent connections and Rails 4.0 is now safe for threaded servers out of the box (no more need for config.threadsafe!).

Active Record has received a ton of love as well to make everything related to scoping and the query structure more consistent.

Given all the fun we’ve had with security issues, we have some great updates there as well:

  • Session store is now encrypted by default (formerly just signed).
  • Strong Parameters take over from attr_protected (now a plugin) to guard against foreign parameters.
  • Security headers like X-Frame-Options, X-XSS-Protection, X-Content-Type-Options are on by default with solid values.
  • XML Parameter parsing has been sent to a plugin.

On top of these new features and fixes, we have hundreds more of all sorts. Everything has been combed over, streamlined, simplified, and we’ve extracted out lots of old APIs and things that just don’t fit “most people most of the time”.

Active Resource, Active Record Observers, and Action Pack page and action caching are all examples of things that are no longer in core, but lives on in plugins.

We encourage you to peruse the CHANGELOGs for all the Rails frameworks and delight over the hundreds of improvements we’ve made to Rails 4.0: Action Pack, Active Model, Active Record, Active Support, Rails.

Now let’s all work together to ensure the release is final and enjoy the bad-ass combination of Ruby on Rails 24! (Or 42?). Please report all the issues you find on the Rails issue tracker. We’re still working on the upgrade guide from 3.2 to 4.0, but that’s a good place to start for help on how to do it. As always, install betas with gem install rails --version 4.0.0.beta1 --no-ri --no-rdoc (–pre and ri generation is busted on RubyGems 2.0 at the moment) or depend on the v4.0.0.beta1 tag.

Maintenance policy for Ruby on Rails

Since the most recent patch releases there has been some confusion about what versions of Ruby on Rails are currently supported, and when people can expect new versions. Our maintenance policy is as follows.

Support of the Rails framework is divided into four groups: New features, bug fixes, security issues, and severe security issues. They are handled as follows, all versions in x.y.z format:

New Features

New Features are only added to the master branch and will not be made available in point releases.

Bug fixes

Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.

Currently included series: 3.2.z

After the Rails 4 release: 4.0.z

Security issues:

The current release series and the next most recent one will receive patches and new versions in case of a security issue.

These releases are created by taking the last released version, applying the security patches, and releasing. Those patches are then applied to the end of the x-y-stable branch. For example, a theoretical 1.2.3 security release would be built from 1.2.2, and then added to the end of 1-2-stable. This means that security releases are easy to upgrade to if you’re running the latest version of Rails.

Currently included series: 3.2.z, 3.1.z

After the Rails 4 release: 4.0.z, 3.2.z

Severe security issues:

For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.

Currently included series: 3.2.z, 3.1.z, 2.3.z

After the Rails 4 release: 4.0.z, 3.2.z

Unsupported Release Series

When a release series is no longer supported, it’s your own responsibility to deal with bugs and security issues. We may provide back-ports of the fixes and publish them to git, however there will be no new versions released. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.

You should also be aware that Ruby 1.8 will reach End of Life in June 2013, no further Ruby security releases will be provided after that point. If your application is only compatible Ruby 1.8 you should upgrade accordingly.

[SEC][ANN] Rails 3.2.12, 3.1.11, and 2.3.17 have been released!

Hi everybody.

I’d like to announce that Rails 3.2.12, 3.1.11, and 2.3.17 have been released.

3.2.12 and 3.1.11 contain one security fix, and 2.3.17 contains two security fixes. It is recommended that you update immediately.

You can read about the security fixes by following these links:

Please note that today a new JSON gem was released, and it also contains an important security fix. You should update the JSON gem as soon as possible. You can read about the security issue in the JSON gem here:

In order to ease upgrading, the only major changes in each gem is the security fix. To see the detailed changes for each version, follow the links below:

Thanks to the people who responsibly reported these security issues.

Please note that per our maintenance policy there will be no 3.0.x version released.

Here are the SHA-1 checksums for each gem:

Rails 3.2.12

[aaron@higgins dist]$ shasum *3.2.*
5627c6d044cc52876128459d960f8805006b5f97  actionmailer-3.2.12.gem
336f76c045b6bcbd204831897131182cff82ddf8  actionpack-3.2.12.gem
89bec5d68861ad5d79ca776ef5d6df7c1cfc2b11  activemodel-3.2.12.gem
7d4327c54900f45c60947a63350e865843e193ef  activerecord-3.2.12.gem
4b8ed4190f98a85b800ee7893bae5afd1bee0874  activeresource-3.2.12.gem
c9e44eed288140f556e6543b93fc45f8dd57a415  activesupport-3.2.12.gem
24b3b4633d7f131e61e50decc3aa11590941c6e2  rails-3.2.12.gem
a84262f1968e83141d290c034b20a28d38886d10  railties-3.2.12.gem

Rails 3.1.11

[aaron@higgins dist]$ shasum *3.1.*
d80816e69614c1f0d96cb7d0f4a38bfdc8d84ff5  actionmailer-3.1.11.gem
f65cea0682b6051869d4125f7b441a7c6f59fcbe  actionpack-3.1.11.gem
549ec2b67d4332b38cef1620b23e00e50e0774e6  activemodel-3.1.11.gem
3d342764b7ba3bae05190f15bcb35d401cd8121e  activerecord-3.1.11.gem
19bd70bad6c4e4a555127a7738e71ac4829e6f61  activeresource-3.1.11.gem
7267b2f87bea5bd285f5d1bfe49bb2ba19df7c94  activesupport-3.1.11.gem
ca57e1243451385689343dbe2bb42e23058284df  rails-3.1.11.gem
48cc801bdb7c31c4b6939235a60ef3e5008f5dbb  railties-3.1.11.gem

Rails 2.3.17

[aaron@higgins dist]$ shasum *2.3.*
5df1fe13db46ac10dec8bb607ef515881dcf09c5  actionmailer-2.3.17.gem
d1165517a185ae73ca8a4ac89549e695a23fedfa  actionpack-2.3.17.gem
b24ff71e46b798d7c38504531cb7622955d9a20c  activerecord-2.3.17.gem
9cc2a7bd60a959dcba099425954a1b9c53235ce5  activeresource-2.3.17.gem
4ccc935fdc4d7ede78a1c376453ecb502e48b7ed  activesupport-2.3.17.gem
9613a97cb726f00de59ad6d0f901f7434f9c4733  rails-2.3.17.gem


[SEC][ANN] Rails 3.0.20, and 2.3.16 have been released!

Hi everybody.

I’d like to announce that 3.0.20, and 2.3.16 have been released. These releases contain one extremely critical security fix so please update IMMEDIATELY.

You can read about the security fix by following this link:

In order to ease upgrading, the only major changes in each gem is the security fix. To see the detailed changes for each version, follow the links below:

Thanks to the people who responsibly reported these security issues.

Please note that per our maintenance policy this will be the last release for the 3.0.x series.

Here are the SHA-1 checksums for each gem:


[aaron@higgins dist]$ shasum *3.0.20*
c5b1a446d921dbd512a2d418c50f144b4540a657  actionmailer-3.0.20.gem
79ec243f6ec301b0a73ad45f89d4ea2335f90346  actionpack-3.0.20.gem
80c7d881ed64ed7a66f4d82b12c2b98b43f6fbde  activemodel-3.0.20.gem
d8fc6e02bf46f9b5f86c3a954932d67da211302b  activerecord-3.0.20.gem
e465e7d582c6d72c487d132e5fac3c3af4626353  activeresource-3.0.20.gem
5bc7b2f1ad70a2781c4a41a2f4eaa75b999750e4  activesupport-3.0.20.gem
ba9fb9dba41ce047feef11b4179cd9c3f81b2857  rails-3.0.20.gem
42b0025e4cb483d491a809b9d9deb6fd182c2a57  railties-3.0.20.gem


[aaron@higgins dist]$ shasum *2.3.16*
ab1a47a08d42352d9e8c276d28e6ed6990c23556  actionmailer-2.3.16.gem
f81ac75eb9edbb363a6d7bbe175a208e97ea3d4f  actionpack-2.3.16.gem
4ce36062f1f0b326b16e42b9fde5f1ab0610bffc  activerecord-2.3.16.gem
3698787f9ab8432f0c10268e22fbfcf682fa79cc  activeresource-2.3.16.gem
90490f62db73c4be9ed69d96592afa0b98e79738  activesupport-2.3.16.gem
239253159f9793e2372c83dcf9d0bd7bff343f7d  rails-2.3.16.gem


[SEC][ANN] Rails 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released!

Hi everybody.

I’d like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two extremely critical security fixes so please update IMMEDIATELY.

You can read about the security fixes by following these links:

In order to ease upgrading, the only major changes in each gem are the security fixes. To see the detailed changes for each version, follow the links below:

Thanks to the people who responsibly reported these security issues.

Here are the SHA-1 checksums for each gem:


[aaron@higgins dist]$ shasum *3.2.11*
933cd2821b30cdff4a2e0b5cc63f4d2c6b29affe  actionmailer-3.2.11.gem
54731c51b55bf0215392971b982139775c0bfa2b  actionpack-3.2.11.gem
5ccde66568d8051405c01063f1afaed13bd01082  activemodel-3.2.11.gem
f360c17968486479b0a4207e7eccbe379186a9d2  activerecord-3.2.11.gem
c61ff513be8a8aef898d2e5c4c9508d60727c556  activeresource-3.2.11.gem
41a4e8c382594283026d977554c1e18233198ca8  activesupport-3.2.11.gem
8fa6d19a0daea910e39a0911b2240c2a7b630fb1  rails-3.2.11.gem
ffaec7c3e5211283108cf5afab8e79be76090a0d  railties-3.2.11.gem


[aaron@higgins dist]$ shasum *3.1.10*
e3dce983ebd0ee8970c5ddab46b05ac432c8b029  actionmailer-3.1.10.gem
84e536e732255e5dfd3d8053c10ed98dcb45ac80  actionpack-3.1.10.gem
db1a3ac836d988dc1fc7c64d29ded7a277047419  activemodel-3.1.10.gem
ea3ad8514265516033009d97efc1fe7b3d2b09ed  activerecord-3.1.10.gem
0843646278b42d9ca796e157295851fd9938fe96  activeresource-3.1.10.gem
b55ef7f66de0bb79fcfa480e8df3696bffbff7f8  activesupport-3.1.10.gem
4ed7d159191faa1a469cd9efdf9e6a4cdc907195  rails-3.1.10.gem
f288986df0fabd2035569199ea3d5f1f46a56db7  railties-3.1.10.gem


[aaron@higgins dist]$ shasum *3.0.19*
f8376f907b2230ac75882e1a3cfa8d5cdd6df800  actionmailer-3.0.19.gem
68b319d86530a5d4291e13d6ab5f357a1e52c05b  actionpack-3.0.19.gem
f0fb577ea7446ff229752bc799ca86dd53aa9cda  activemodel-3.0.19.gem
c12324d78b22697d426148010901f79b366c0502  activerecord-3.0.19.gem
8dbc7c8c80f5baeec823966aa225b23f4c2a799c  activeresource-3.0.19.gem
b525b778f82f844a56ff993211825b9811bf82bd  activesupport-3.0.19.gem
c2beb0711d28a07cb2747c83962c7d453951e2d6  rails-3.0.19.gem
de286ada16b3fc76129767dc612926e0b4f71dda  railties-3.0.19.gem


[aaron@higgins dist]$ shasum *2.3.15*
5ce45c70851dd534a72814620a6e57b42d360b88  actionmailer-2.3.15.gem
fa174c40f17fa5db952ba3a7c95a4ab0b5467594  actionpack-2.3.15.gem
e7391c92c82f974be7e65765819824e87bdb3cfd  activerecord-2.3.15.gem
4644b7a27993f7860d9e176f51dfa52d8f029ec9  activeresource-2.3.15.gem
64843e3676c20a49060605546dfcdddaef2ea1a8  activesupport-2.3.15.gem
c8c0c49c63ca0f9acc3e0967b38d92b1c0b115af  rails-2.3.15.gem


[ANN] Rails 3.2.10, 3.1.9, and 3.0.18 have been released!

Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recommended that all users upgrade immediately.

The security identifier is CVE-2012-5664, and you can read about the issue here.

For other change in each particular release, please see the CHANGELOG corresponding to that version. For all commits in each release, please follow the links below:

We’re sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don’t feel we can delay the release.

To that end, we’ve minimized the number of changes in each release so that upgrading should be as smooth as possible.

Happy Holidays!


What Is New in Rails Contributors

What is Rails Contributors?

Rails Contributors is a website that keeps track of all contributions made to the Ruby on Rails code base.

The application tries hard to give credit as accurately as possible, which is something you cannot do with git log. For example, according to Git the author of this commit is “@schneems and @mattt”, but you do not want to credit “@schneems and @mattt” right? Rails Contributors automatically splits the string, applies mappings, and gives credit both to Richard Schneeman, and Mattt Thompson.

Known typos, emails, and handles are associated to a canonical name to have everything aggregated per contributor rather than scattered in several unrelated listings. Heuristics also capture contributors from commit messages, and even from CHANGELOGs in the diff of commits imported from Subversion.

The purpose of all this work is to give credit, provide visibility to your contributions to Rails, and last but not least, to say thank you.

What Is New?

A new version of the website has just been published, changes are:

  • More mappings: the application knows about more mappings and false positives.

  • New page for releases: There is a new shiny page for releases where you can see who contributed what in any of them. The breakdown is approximate for old releases, since all we have from Subversion is the Git history. Commits are classified with git rev-list.

  • Better Unicode handling: Some names with non-ASCII characters came up from Git using different UTF8 byte representations. The application applies now NFC normalization thoroughly to address that.

  • Robust commit import: about one thousand commits were missing in the previous version because they were unreachable from the branch tips due to rarities in the git history. The commit importer is now more aggressive looking for commits.

  • Credit for Rails core in Subversion commits: Rails used Subversion in about its first four years. Subversion does not distinguish author and committer, you only have the committer. If the application determines that the author is not the committer using its heuristics, the committer now gets also credited. This is fair with what happens nowadays, where the committer gets credited by his work on a pull request via the merge commit.

  • Internal changes: A lot of work has no external visibility indeed, you know. We migrated from grit to rugged, and there were significant refactors and speedups.


The People Behind Rails 4

Rails 4 is coming along nicely with a ton of new stuff, but this major release would have not been possible without the help of some people whose contributions have been outstanding. We want to dedicate this post to them, to show our appreciation and recognition for their extraordinary work:

Arun Agrawal has been helping with some housekeeping tasks. He puts a lot of effort to remove warnings, fix broken builds, remove some unneeded code, and ensure Rails works well with JRuby.

Vijay Dev leads the docrails front. He reviews documentation patches, which is a lot of work, and cross-merges docrails and Rails master periodically.

Guillermo Iguaran is a regular active core contributor. Recently he has extracted old-style mass-assignment protection to the new protected_attributes gem, and is helping with the assets pipeline related projects.

Toshinori Kajihara (kennyj) helps to fix and give attention to Active Record issues, which are the most part of Rails open issues.

Steve Klabnik is working on Rails issues like crazy. I mean, GitHub notifications generated by his activity flood your inbox. Giving sensible feedback, dynamizeing threads, and closing issues. He has been key in halving the number of open issues.

Francesco Rodríguez has mainly contributed to the documentation, and also helps with tickets and code. Francesco has extracted page and action caching out to gems.

Piotr Sarnacki is an old-timer. Piotr helps constantly in the project and has done a remarkable work on Rails engines and Action Pack.

Prem Sichanugrist has been helping regularly since the Rails 3 days in many ways. He recently performed the daunting task of converting all Rails guides from Textile to Markdown.

Carlos Antonio da Silva is among the most prolific Rails committers. He contributes in all fronts, code, docs, issues, discussions, etc.

Andrew White has also been helping regularly for a couple of years or so. He is a solid contributor in several areas and in particular knows routing very well.


Rails 3.2.9 has been released!

Hi everyone,

Rails 3.2.9 has been released without new changes since 3.2.9.rc3.


A DoS attack was recently found in Ruby that uses specially-crafted input to dramatically reduce the performance of hashes, thus using up lots of CPU time. Rails applications may be vulnerable to an attacker sending a specially-crafted HTTP request to exploit this.

A good way to limit the effectiveness of such attacks is to configure your frontend servers to limit the size of the HTTP request line, headers and body. Nginx does this by default. Apache can be configured to do this by setting the LimitRequestBody directive.

In addition, all Ruby 1.9 users are recommended to upgrade to ruby-1.9.3 patchlevel 327 to get this security fix.

CHANGES since 3.2.8

Action Mailer

  • Do not render views when mail() isn’t called. Fix #7761

    Yves Senn

Action Pack

  • Lock sprockets to 2.2.x REASON: We had some pending fixes in sprockets and sass-rails to make possible to use sprockets version > 2.2. We will do a more conservative sprockets upgrade for this release. In a next release we can relax the dependency again. See #8099 for more information.

    Guillermo Iguaran

  • Clear url helpers when reloading routes.

    Santiago Pastorino

  • Revert the shorthand routes scoped with :module option fix This added a regression since it is changing the URL mapping. This makes the stable release backward compatible.

    Rafael Mendonça França

  • Revert the assert_template fix to not pass with ever string that matches the template name. This added a regression since people were relying on this buggy behavior. This will introduce back #3849 but this stable release will be backward compatible. Fixes #8068.

    Rafael Mendonça França

  • Revert the rename of internal variable on ActionController::TemplateAssertions to prevent naming collisions. This added a regression related with shoulda-matchers, since it is expecting the instance variable @layouts. This will introduce back #7459 but this stable release will be backward compatible. Fixes #8068.

    Rafael Mendonça França

  • Accept :remote as symbolic option for link_to helper. Riley Lynch

  • Warn when the :locals option is passed to assert_template outside of a view test case Fix #3415

    Yves Senn

  • Rename internal variables on ActionController::TemplateAssertions to prevent naming collisions. @partials, @templates and @layouts are now prefixed with an underscore. Fix #7459

    Yves Senn

  • resource and resources don’t modify the passed options hash Fix #7777

    Yves Senn

  • Precompiled assets include aliases from foo.js to foo/index.js and vice versa.

    # Precompiles phone-<digest>.css and aliases phone/index.css to phone.css.
    config.assets.precompile = [ 'phone.css' ]
    # Precompiles phone/index-<digest>.css and aliases phone.css to phone/index.css.
    config.assets.precompile = [ 'phone/index.css' ]
    # Both of these work with either precompile thanks to their aliases.
    <%= stylesheet_link_tag 'phone', media: 'all' %>
    <%= stylesheet_link_tag 'phone/index', media: 'all' %>

    Jeremy Kemper

  • assert_template is no more passing with what ever string that matches with the template name.

    Before when we have a template /layout/hello.html.erb, assert_template was passing with any string that matches. This behavior allowed false positive like:

    assert_template "layout"
    assert_template "out/hello"

    Now it only passes with:

    assert_template "layout/hello"
    assert_template "hello"

    Fixes #3849.


  • Handle ActionDispatch::Http::UploadedFile like Rack::Test::UploadedFile, don’t call to_param on it. Since Rack::Test::UploadedFile isn’t API compatible this is needed to test file uploads that rely on tempfile being available.

    Tim Vandecasteele

  • Fixed a bug with shorthand routes scoped with the :module option not adding the module to the controller as described in issue #6497. This should now work properly:

    scope :module => "engine" do
      get "api/version" # routes to engine/api#version

    Luiz Felipe Garcia Pereira

  • Respect config.digest = false for asset_path

    Previously, the asset_path internals only respected the :digest option, but ignored the global config setting. This meant that config.digest = false could not be used in conjunction with config.compile = false this corrects the behavior.

    Peter Wagenet

  • Fix #7646, the log now displays the correct status code when an exception is raised.

    Yves Senn

  • Fix handling of date selects when using both disabled and discard options. Fixes #7431.

    Vasiliy Ermolovich

  • Fix select_tag when option_tags is nil. Fixes #7404.

    Sandeep Ravichandran

  • javascript_include_tag :all will now not include application.js if the file does not exists. Prem Sichanugrist

  • Support cookie jar options (e.g., domain :all) for all session stores. Fixes GH#3047, GH#2483.

    Ravil Bayramgalin

  • Performance Improvement to send_file: Avoid having to pass an open file handle as the response body. Rack::Sendfile will usually intercept the response and just uses the path directly, so no reason to open the file. This performance improvement also resolves an issue with jRuby encodings, and is the reason for the backport, see issue #6844.

    Jeremy Kemper & Erich Menge

Active Model

  • Due to a change in builder, nil values and empty strings now generates closed tags, so instead of this:

    <pseudonyms nil=\"true\"></pseudonyms>

    It generates this:

    <pseudonyms nil=\"true\"/>

    Carlos Antonio da Silva

Active Record

  • Fix issue with collection associations calling first(n)/last(n) and attempting to set the inverse association when :inverse_of was used. Fixes #8087.

    Carlos Antonio da Silva

  • Fix ActiveRecord#update_column return value.


  • Fix bug when Column is trying to type cast boolean values to integer. Fixes #8067.

    Rafael Mendonça França

  • Fix bug where rake db:test:prepare tries to load the structure.sql into development database. Fixes #8032.

    Grace Liu + Rafael Mendonça França

  • Fixed support for DATABASE_URL environment variable for rake db tasks. Grace Liu

  • Fix bug where update_columns and update_column would not let you update the primary key column.

    Henrik Nyh

  • Decode URI encoded attributes on database connection URLs.

    Shawn Veader

  • Fix AR#dup to nullify the validation errors in the dup’ed object. Previously the original and the dup’ed object shared the same errors.

    • Christian Seiler*
  • Synchronize around deleting from the reserved connections hash. Fixes #7955

  • PostgreSQL adapter correctly fetches default values when using multiple schemas and domains in a db. Fixes #7914

    Arturo Pie

  • Fix deprecation notice when loading a collection association that selects columns from other tables, if a new record was previously built using that association.

    Ernie Miller

  • The postgres adapter now supports tables with capital letters. Fix #5920

    Yves Senn

  • CollectionAssociation#count returns 0 without querying if the parent record is not persisted.


    # SELECT COUNT(*) FROM "pets" WHERE "pets"."person_id" IS NULL
    # => 0


    # fires without sql query
    # => 0

    Francesco Rodriguez

  • Fix reset_counters crashing on has_many :through associations. Fix #7822.


  • ConnectionPool recognizes checkout_timeout spec key as taking precedence over legacy wait_timeout spec key, can be used to avoid conflict with mysql2 use of wait_timeout. Closes #7684.


  • Rename field_changed? to _field_changed? so that users can create a field named field

    Akira Matsuda, backported by Steve Klabnik

  • Fix creation of through association models when using collection=[] on a has_many :through association from an unsaved model. Fix #7661.

    Ernie Miller

  • Explain only normal CRUD sql (select / update / insert / delete). Fix problem that explains unexplainable sql. Closes #7544 #6458.


  • Backport test coverage to ensure that PostgreSQL auto-reconnect functionality remains healthy.

    Steve Jorgensen

  • Use config[‘encoding’] instead of config[‘charset’] when executing databases.rake in the mysql/mysql2. A correct option for a database.yml is ‘encoding’.


  • Fix ConnectionAdapters::Column.type_cast_code integer conversion, to always convert values to integer calling #to_i. Fixes #7509.

    Thiago Pradi

  • Fix time column type casting for invalid time string values to correctly return nil.

    Adam Meehan

  • Fix becomes when using a configured inheritance_column.

    Yves Senn

  • Fix reset_counters when there are multiple belongs_to association with the same foreign key and one of them have a counter cache. Fixes #5200.

    Dave Desrochers

  • Round usec when comparing timestamp attributes in the dirty tracking. Fixes #6975.


  • Use inversed parent for first and last child of has_many association.

    Ravil Bayramgalin

  • Fix Column.microseconds and Column.fast_string_to_date to avoid converting timestamp seconds to a float, since it occasionally results in inaccuracies with microsecond-precision times. Fixes #7352.

    Ari Pollak

  • Fix increment!, decrement!, toggle! that was skipping callbacks. Fixes #7306.

    Rafael Mendonça França

  • Fix AR#create to return an unsaved record when AR::RecordInvalid is raised. Fixes #3217.

    Dave Yeu

  • Remove unnecessary transaction when assigning has_one associations with a nil or equal value. Fix #7191.


  • Allow store to work with an empty column. Fix #4840.

    Jeremy Walker

  • Remove prepared statement from system query in postgresql adapter. Fix #5872.

    Ivan Evtuhovich

  • Make sure :environment task is executed before db:schema:load or db:structure:load Fixes #4772.

    Seamus Abshere

Active Resource

  • No changes

Active Support

  • Add logger.push_tags and .pop_tags to complement logger.tagged:

    class Job
      def before
        Rails.logger.push_tags :jobs, self.class.name
      def after
        Rails.logger.pop_tags 2

    Jeremy Kemper

  • Add %:z and %::z format string support to ActiveSupport::TimeWithZone#strftime. [fixes #6962] kennyj


  • Revert “Respect children paths filter settings” This reverts commit 53778ec2d716f860646fd43957fd53c8db4da2fe. Closes #8146

    Santiago Pastorino

  • Don’t eager-load app/assets and app/views Elia Schito

  • Update supported ruby versions error message in ruby_version_check.rb Lihan Li


  • 0b460ffdac39cee7f3321bb430e212c2a42b5dec actionmailer-3.2.9.gem
  • 8c3657514132ae21d2da2abcad896d8f37c4f1ca actionpack-3.2.9.gem
  • 3e95d49bca396663d0cc4e94056f2d4e20923200 activemodel-3.2.9.gem
  • 92f9f3aad6ae63786cc916baedda46801b423aab activerecord-3.2.9.gem
  • fff833587b753eb0d17e7102f635e769138113f5 activeresource-3.2.9.gem
  • 0989647ca08bb01bf3ab9490ea9b623f4deb065d activesupport-3.2.9.gem
  • b2172077c391721bc008723fec92c986c6881e62 rails-3.2.9.gem
  • bd3e0418546e142cf6afb7fc0e0240545ec96e5c railties-3.2.9.gem

You can find a list of changes between v3.2.8 and v3.2.9 here

Thanks to everyone!