Rails 3.1.2 has been released. This is a patch-level release containing bug fixes and an important security fix.

Possible XSS vulnerability in the translate helper method in Ruby on Rails

There is a vulnerability in the translate helper method which may allow an attacker to insert arbitrary code into a page.

• Versions Affected: 3.0.0 and later, 2.3.X in combination with the rails_xss plugin
• Not Affected: Pre-3.0.0 releases, without the rails_xss plugin, did no automatic XSS escaping, so are not considered vulnerable
• Fixed Versions: 3.0.11, 3.1.2

Please see the rubyonrails-security posting and the changelog item below, for more details.

Changes

Action Mailer:

• No changes

Action Pack:

• Fix XSS security vulnerability in the translate helper method. When using interpolation in combination with HTML-safe translations, the interpolated input would not get HTML escaped. GH 3664

  Before:

  translate('foo_html', :something => '<script>') # => "...<script>..."
  

  After:

   translate('foo_html', :something => '<script>') # => "...<script>..."
  

  Sergey Nartimov

• Upgrade sprockets dependency to ~> 2.1.0

• Ensure that the format isn’t applied twice to the cache key, else it becomes impossible to target with expire_action.

  Christopher Meiklejohn

• Swallow error when can’t unmarshall object from session.

  Bruno Zanchet

• Implement a workaround for a bug in ruby-1.9.3p0 where an error would be raised while attempting to convert a template from one encoding to another.

  Please see http://redmine.ruby-lang.org/issues/5564 for details of the bug.

  The workaround is to load all conversions into memory ahead of time, and will only happen if the ruby version is exactly 1.9.3p0. The hope is obviously that the underlying problem will be resolved in the next patchlevel release of 1.9.3.

  Jon Leighton

• Ensure users upgrading from 3.0.x to 3.1.x will properly upgrade their flash object in session (issues #3298 and #2509)

Active Model:

• No changes

Active Record:

• Fix problem with prepared statements and PostgreSQL when multiple schemas are used. GH #3232

  Juan M. Cuello

• Fix bug with PostgreSQLAdapter#indexes. When the search path has multiple schemas, spaces were not being stripped from the schema names after the first.

  Sean Kirby

• Preserve SELECT columns on the COUNT for finder_sql when possible. GH 3503

  Justin Mazzi

• Reset prepared statement cache when schema changes impact statement results. GH 3335

  Aaron Patterson

• Postgres: Do not attempt to deallocate a statement if the connection is no longer active.

  Ian Leitch

• Prevent QueryCache leaking database connections. GH 3243

  Mark J. Titorenko

• Fix bug where building the conditions of a nested through association could potentially modify the conditions of the through and/or source association. If you have experienced bugs with conditions appearing in the wrong queries when using nested through associations, this probably solves your problems. GH #3271

  Jon Leighton

• If a record is removed from a has_many :through, all of the join records relating to that record should also be removed from the through association’s target.

  Jon Leighton

• Fix adding multiple instances of the same record to a has_many :through. GH #3425

  Jon Leighton

• Fix creating records in a through association with a polymorphic source type. GH #3247

  Jon Leighton

• MySQL: use the information_schema than the describe command when we look for a primary key. GH #3440

  Kenny J

Active Resource:

• No changes

Active Support:

• No changes

Railties:

• Engines: don’t blow up if db/seeds.rb is missing.

  Jeremy Kemper

• rails new foo --skip-test-unit should not add the :test task to the rake default task. GH 2564

  José Valim

As ever, you can see a full list of commits between the versions on Github.

Rails 3.0.11 has been released. This is a patch-level release containing bug fixes and an important security fix.

Possible XSS vulnerability in the translate helper method in Ruby on Rails

There is a vulnerability in the translate helper method which may allow an attacker to insert arbitrary code into a page.

• Versions Affected: 3.0.0 and later, 2.3.X in combination with the rails_xss plugin
• Not Affected: Pre-3.0.0 releases, without the rails_xss plugin, did no automatic XSS escaping, so are not considered vulnerable
• Fixed Versions: 3.0.11, 3.1.2

Please see the rubyonrails-security posting and the changelog item below, for more details.

Changes

Action Mailer:

• No changes

Action Pack:

• Fix XSS security vulnerability in the translate helper method. When using interpolation in combination with HTML-safe translations, the interpolated input would not get HTML escaped. GH 3664

  Before:

  translate('foo_html', :something => '<script>') # => "...<script>..."
  

  After:

   translate('foo_html', :something => '<script>') # => "...<script>..."
  

  Sergey Nartimov

• Implement a workaround for a bug in ruby-1.9.3p0 where an error would be raised while attempting to convert a template from one encoding to another.

  Please see http://redmine.ruby-lang.org/issues/5564 for details of the bug.

  The workaround is to load all conversions into memory ahead of time, and will only happen if the ruby version is exactly 1.9.3p0. The hope is obviously that the underlying problem will be resolved in the next patchlevel release of 1.9.3.

• Fix assert_select_email to work on multipart and non-multipart emails as the method stopped working correctly in Rails 3.x due to changes in the new mail gem.

• Fix url_for when passed a hash to prevent additional options (eg. :host, :protocol) from being added to the hash after calling it.

Active Model:

• No changes

Active Record:

• Exceptions from database adapters should not lose their backtrace.

• Backport “ActiveRecord::Persistence#touch should not use default_scope” (GH #1519)

• Psych errors with poor yaml formatting are proxied. Fixes GH #2645 and GH #2731

• Fix ActiveRecord#exists? when passsed a nil value

Active Resource:

• No changes

Active Support:

• No changes

Railties:

• Updated Prototype UJS to lastest version fixing multiples errors in IE [Guillermo Iguaran]

As ever, you can see a full list of commits between the versions on Github.

Hi everyone,

Rails 3.1.1 has been released. This release requires at least sass-rails 3.1.4

CHANGES

Action Mailer

• No changes

Action Pack

• stylesheet_link_tag(‘/stylesheets/application’) and similar helpers doesn’t throw Sprockets::FileOutsidePaths exception anymore [Santiago Pastorino]

• Ensure default_asset_host_protocol is respected, closes #2980. [José Valim]

  Changing rake db:schema:dump to run :environment as well as :load_config, as running :load_config alone will lead to the dumper being run without including extensions such as those included in foreigner and spatial_adapter.

  This reverses a change made here: https://github.com/rails/rails/commit/5df72a238e9fcb18daf6ab6e6dc9051c9106d7bb#L0L324

  I’m assuming here that :load_config needs to be invoked separately from :environment, as it is elsewhere in the file for db operations, if not the alternative is to go back to “task :dump => :environment do”.

  [Ben Woosley]

• Update to rack-cache 1.1.

  Versions prior to 1.1 delete the If-Modified-Since and If-Not-Modified headers when config.action_controller.perform_caching is true. This has two problems:

  • unexpected inconsistent behaviour between development & production environments
  • breaks applications that use of these headers

  [Brendan Ribera]

• Ensure that enhancements to assets:precompile task are only run once [Sam Pohlenz]

• TestCase should respect the view_assigns API instead of pulling variables on its own. [José Valim]

• javascript_path and stylesheet_path now refer to /assets if asset pipelining is on. [Santiago Pastorino]

• button_to support form option. Now you’re able to pass for example ‘data-type’ => ‘json’. [ihower]

• image_path and image_tag should use /assets if asset pipelining is turned on. Closes #3126 [Santiago Pastorino and christos]

• Avoid use of existing precompiled assets during rake assets:precompile run. Closes #3119 [Guillermo Iguaran]

• Copy assets to nondigested filenames too [Santiago Pastorino]

• Give precedence to config.digest = false over the existence of manifest.yml asset digests [christos]

• escape options for the stylesheet_link_tag method [Alexey Vakhov]

• Re-launch assets:precompile task using (Rake.)ruby instead of Kernel.exec so it works on Windows [cablegram]

• env var passed to process shouldn’t be modified in process method. [Santiago Pastorino]

• rake assets:precompile loads the application but does not initialize it.

  To the app developer, this means configuration add in config/initializers/* will not be executed.

  Plugins developers need to special case their initializers that are meant to be run in the assets group by adding :group => :assets. [José Valim]

• Sprockets uses config.assets.prefix for asset_path [asee]

• FileStore key_file_path properly limit filenames to 255 characters. [phuibonhoa]

• Fix Hash#to_query edge case with html_safe strings. [brainopia]

• Allow asset tag helper methods to accept :digest => false option in order to completely avoid the digest generation. Useful for linking assets from static html files or from emails when the user could probably look at an older html email with an older asset. [Santiago Pastorino]

• Don’t mount Sprockets server at config.assets.prefix if config.assets.compile is false. [Mark J. Titorenko]

• Set relative url root in assets when controller isn’t available for Sprockets (eg. Sass files using asset_path). Fixes #2435 [Guillermo Iguaran]

• Fix basic auth credential generation to not make newlines. GH #2882

• Fixed the behavior of asset pipeline when config.assets.digest and config.assets.compile are false and requested asset isn’t precompiled. Before the requested asset were compiled anyway ignoring that the config.assets.compile flag is false. [Guillermo Iguaran]

• CookieJar is now Enumerable. Fixes #2795

• Fixed AssetNotPrecompiled error raised when rake assets:precompile is compiling certain .erb files. See GH #2763 #2765 #2805 [Guillermo Iguaran]

• Manifest is correctly placed in assets path when default assets prefix is changed. Fixes #2776 [Guillermo Iguaran]

• Fixed stylesheet_link_tag and javascript_include_tag to respect additional options passed by the users when debug is on. [Guillermo Iguaran]

• Fix ActiveRecord#exists? when passsed a nil value

• Fix assert_select_email to work on multipart and non-multipart emails as the method stopped working correctly in Rails 3.x due to changes in the new mail gem.

Active Model

• Remove hard dependency on bcrypt-ruby to avoid make ActiveModel dependent on a binary library. You must add the gem explicitly to your Gemfile if you want use ActiveModel::SecurePassword:

  gem ‘bcrypt-ruby’, ‘~> 3.0.0’

  See GH #2687. [Guillermo Iguaran]

Active Record

• Add deprecation for the preload_associations method. Fixes #3022.

  [Jon Leighton]

• Don’t require a DB connection when loading a model that uses set_primary_key. GH #2807.

  [Jon Leighton]

• Fix using select() with a habtm association, e.g. Person.friends.select(:name). GH #3030 and #2923.

  [Hendy Tanata]

• Fix belongs_to polymorphic with custom primary key on target. GH #3104.

  [Jon Leighton]

• CollectionProxy#replace should change the DB records rather than just mutating the array. Fixes #3020.

  [Jon Leighton]

• LRU cache in mysql and sqlite are now per-process caches.

  • lib/active_record/connection_adapters/mysql_adapter.rb: LRU cache keys are per process id.
  • lib/active_record/connection_adapters/sqlite_adapter.rb: ditto

• Database adapters use a statement pool for limiting the number of open prepared statments on the database. The limit defaults to 1000, but can be adjusted in your database config by changing ‘statement_limit’.

• Fix clash between using ‘preload’, ‘joins’ or ‘eager_load’ in a default scope and including the default scoped model in a nested through association. (GH #2834.) [Jon Leighton]

• Ensure we are not comparing a string with a symbol in HasManyAssociation#inverse_updates_counter_cache?. Fixes GH #2755, where a counter cache could be decremented twice as far as it was supposed to be.

  [Jon Leighton]

• Don’t send any queries to the database when the foreign key of a belongs_to is nil. Fixes GH #2828. [Georg Friedrich]

• Fixed find_in_batches method to not include order from default_scope. See GH #2832 [Arun Agrawal]

• Don’t compute table name for abstract classes. Fixes problem with setting the primary key in an abstract class. See GH #2791. [Akira Matsuda]

• Psych errors with poor yaml formatting are proxied. Fixes GH #2645 and GH #2731

• Use the LIMIT word with the methods #last and #first. Fixes GH #2783 [Damien Mathieu]

Active Resource

• No changes

Active Support

• ruby193: String#prepend is also unsafe [Akira Matsuda]

• Fix obviously breakage of Time.=== for Time subclasses [jeremyevans]

• Added fix so that file store does not raise an exception when cache dir does not exist yet. This can happen if a delete_matched is called before anything is saved in the cache. [Philippe Huibonhoa]

• Fixed performance issue where TimeZone lookups would require tzinfo each time [Tim Lucas]

• ActiveSupport::OrderedHash is now marked as extractable when using Array#extract_options! [Prem Sichanugrist]

Railties

• Add jquery-rails to Gemfile of plugins, test/dummy app needs it. Closes #3091. [Santiago Pastorino]

• rake assets:precompile loads the application but does not initialize it.

  To the app developer, this means configuration add in config/initializers/* will not be executed.

  Plugins developers need to special case their initializers that are meant to be run in the assets group by adding :group => :assets.

SHA-1

• 9337cff7772da034b0b34b73b85cf249f1a70f52 actionmailer-3.1.1.gem
• 7bb1b8d096a6ff1ff46dcfb778bf86a5daca1b0d actionpack-3.1.1.gem
• d5dc71e1a9a0e20d819f4dff27ff0697e99a7f64 activemodel-3.1.1.gem
• 7245632cb3b38612628304c1e244855d0053f7be activerecord-3.1.1.gem
• 6d09800202c2747e84249b8646f0fd480ed4924f activeresource-3.1.1.gem
• 66df2fd144aab22f52819fd489e33a976d68a46b activesupport-3.1.1.gem
• 6a35a49948bbd9f461839a1a271def90b23a851a rails-3.1.1.gem
• 6979ef891bd03fb639b979af9fdc56781f9358d9 railties-3.1.1.gem

You can find an exhaustive list of changes on github. Along with the closed issues marked for v3.1.1.

Thanks to everyone!

Hi everyone,

Rails 3.1.1.rc3 has been released. Please give it a try, it’s our chance to fix regressions you might find and make a beautiful 3.1.1 stable release. If there are no regressions I will be releasing 3.1.1 final next October 7th. If you find any regression please contact me ASAP by email, twitter or github.

CHANGES

Action Mailer

• No changes

Action Pack

• stylesheet_link_tag(‘/stylesheets/application’) and similar helpers doesn’t throw Sprockets::FileOutsidePaths exception anymore [Santiago Pastorino]

• Ensure default_asset_host_protocol is respected, closes #2980. [José Valim]

  Changing rake db:schema:dump to run :environment as well as :load_config, as running :load_config alone will lead to the dumper being run without including extensions such as those included in foreigner and spatial_adapter.

  This reverses a change made here: https://github.com/rails/rails/commit/5df72a238e9fcb18daf6ab6e6dc9051c9106d7bb#L0L324

  I’m assuming here that :load_config needs to be invoked separately from :environment, as it is elsewhere in the file for db operations, if not the alternative is to go back to “task :dump => :environment do”.

  [Ben Woosley]

• Update to rack-cache 1.1.

  Versions prior to 1.1 delete the If-Modified-Since and If-Not-Modified headers when config.action_controller.perform_caching is true. This has two problems:

  • unexpected inconsistent behaviour between development & production environments
  • breaks applications that use of these headers

  [Brendan Ribera]

• Ensure that enhancements to assets:precompile task are only run once [Sam Pohlenz]

• TestCase should respect the view_assigns API instead of pulling variables on its own. [José Valim]

• javascript_path and stylesheet_path now refer to /assets if asset pipelining is on. [Santiago Pastorino]

• button_to support form option. Now you’re able to pass for example ‘data-type’ => ‘json’. [ihower]

• image_path and image_tag should use /assets if asset pipelining is turned on. Closes #3126 [Santiago Pastorino and christos]

• Avoid use of existing precompiled assets during rake assets:precompile run. Closes #3119 [Guillermo Iguaran]

• Copy assets to nondigested filenames too [Santiago Pastorino]

• Give precedence to config.digest = false over the existence of manifest.yml asset digests [christos]

• escape options for the stylesheet_link_tag method [Alexey Vakhov]

• Re-launch assets:precompile task using (Rake.)ruby instead of Kernel.exec so it works on Windows [cablegram]

• env var passed to process shouldn’t be modified in process method. [Santiago Pastorino]

• rake assets:precompile loads the application but does not initialize it.

  To the app developer, this means configuration add in config/initializers/* will not be executed.

  Plugins developers need to special case their initializers that are meant to be run in the assets group by adding :group => :assets. [José Valim]

• Sprockets uses config.assets.prefix for asset_path [asee]

• FileStore key_file_path properly limit filenames to 255 characters. [phuibonhoa]

• Fix Hash#to_query edge case with html_safe strings. [brainopia]

• Allow asset tag helper methods to accept :digest => false option in order to completely avoid the digest generation. Useful for linking assets from static html files or from emails when the user could probably look at an older html email with an older asset. [Santiago Pastorino]

• Don’t mount Sprockets server at config.assets.prefix if config.assets.compile is false. [Mark J. Titorenko]

• Set relative url root in assets when controller isn’t available for Sprockets (eg. Sass files using asset_path). Fixes #2435 [Guillermo Iguaran]

• Fix basic auth credential generation to not make newlines. GH #2882

• Fixed the behavior of asset pipeline when config.assets.digest and config.assets.compile are false and requested asset isn’t precompiled. Before the requested asset were compiled anyway ignoring that the config.assets.compile flag is false. [Guillermo Iguaran]

• CookieJar is now Enumerable. Fixes #2795

• Fixed AssetNotPrecompiled error raised when rake assets:precompile is compiling certain .erb files. See GH #2763 #2765 #2805 [Guillermo Iguaran]

• Manifest is correctly placed in assets path when default assets prefix is changed. Fixes #2776 [Guillermo Iguaran]

• Fixed stylesheet_link_tag and javascript_include_tag to respect additional options passed by the users when debug is on. [Guillermo Iguaran]

• Fix ActiveRecord#exists? when passsed a nil value

• Fix assert_select_email to work on multipart and non-multipart emails as the method stopped working correctly in Rails 3.x due to changes in the new mail gem.

Active Model

• Remove hard dependency on bcrypt-ruby to avoid make ActiveModel dependent on a binary library. You must add the gem explicitly to your Gemfile if you want use ActiveModel::SecurePassword:

  gem ‘bcrypt-ruby’, ‘~> 3.0.0’

  See GH #2687. [Guillermo Iguaran]

Active Record

• Add deprecation for the preload_associations method. Fixes #3022.

  [Jon Leighton]

• Don’t require a DB connection when loading a model that uses set_primary_key. GH #2807.

  [Jon Leighton]

• Fix using select() with a habtm association, e.g. Person.friends.select(:name). GH #3030 and #2923.

  [Hendy Tanata]

• Fix belongs_to polymorphic with custom primary key on target. GH #3104.

  [Jon Leighton]

• CollectionProxy#replace should change the DB records rather than just mutating the array. Fixes #3020.

  [Jon Leighton]

• LRU cache in mysql and sqlite are now per-process caches.

  • lib/active_record/connection_adapters/mysql_adapter.rb: LRU cache keys are per process id.
  • lib/active_record/connection_adapters/sqlite_adapter.rb: ditto

• Database adapters use a statement pool for limiting the number of open prepared statments on the database. The limit defaults to 1000, but can be adjusted in your database config by changing ‘statement_limit’.

• Fix clash between using ‘preload’, ‘joins’ or ‘eager_load’ in a default scope and including the default scoped model in a nested through association. (GH #2834.) [Jon Leighton]

• Ensure we are not comparing a string with a symbol in HasManyAssociation#inverse_updates_counter_cache?. Fixes GH #2755, where a counter cache could be decremented twice as far as it was supposed to be.

  [Jon Leighton]

• Don’t send any queries to the database when the foreign key of a belongs_to is nil. Fixes GH #2828. [Georg Friedrich]

• Fixed find_in_batches method to not include order from default_scope. See GH #2832 [Arun Agrawal]

• Don’t compute table name for abstract classes. Fixes problem with setting the primary key in an abstract class. See GH #2791. [Akira Matsuda]

• Psych errors with poor yaml formatting are proxied. Fixes GH #2645 and GH #2731

• Use the LIMIT word with the methods #last and #first. Fixes GH #2783 [Damien Mathieu]

Active Resource

• No changes

ActiveSupport

• ruby193: String#prepend is also unsafe [Akira Matsuda]

• Fix obviously breakage of Time.=== for Time subclasses [jeremyevans]

• Added fix so that file store does not raise an exception when cache dir does not exist yet. This can happen if a delete_matched is called before anything is saved in the cache. [Philippe Huibonhoa]

• Fixed performance issue where TimeZone lookups would require tzinfo each time [Tim Lucas]

• ActiveSupport::OrderedHash is now marked as extractable when using Array#extract_options! [Prem Sichanugrist]

Railties

• Add jquery-rails to Gemfile of plugins, test/dummy app needs it. Closes #3091. [Santiago Pastorino]

• rake assets:precompile loads the application but does not initialize it.

  To the app developer, this means configuration add in config/initializers/* will not be executed.

  Plugins developers need to special case their initializers that are meant to be run in the assets group by adding :group => :assets.

You can find an exhaustive list of changes on github. Along with the closed issues marked for v3.1.1. You can also take a look to what’s new between v3.1.1.rc2 and v3.1.1.rc3

You can also see issues we haven’t closed yet.

Thanks to everyone!

Hi everyone,

Rails 3.1.1.rc2 has been released. Please give it a try, it’s our chance to fix regressions you might find and make a beautiful 3.1.1 stable release. If there are no regressions I will be releasing 3.1.1 final next October 3rd. If you find any regression please contact me ASAP by email, twitter or github.

CHANGES

Action Mailer

• No changes

Action Pack

• Allow asset tag helper methods to accept :digest => false option in order to completely avoid the digest generation. Useful for linking assets from static html files or from emails when the user could probably look at an older html email with an older asset. [Santiago Pastorino]

• Don’t mount Sprockets server at config.assets.prefix if config.assets.compile is false. [Mark J. Titorenko]

• Set relative url root in assets when controller isn’t available for Sprockets (eg. Sass files using asset_path). Fixes #2435 [Guillermo Iguaran]

• Fix basic auth credential generation to not make newlines. GH #2882

• Fixed the behavior of asset pipeline when config.assets.digest and config.assets.compile are false and requested asset isn’t precompiled. Before the requested asset were compiled anyway ignoring that the config.assets.compile flag is false. [Guillermo Iguaran]

• CookieJar is now Enumerable. Fixes #2795

• Fixed AssetNotPrecompiled error raised when rake assets:precompile is compiling certain .erb files. See GH #2763 #2765 #2805 [Guillermo Iguaran]

• Manifest is correctly placed in assets path when default assets prefix is changed. Fixes #2776 [Guillermo Iguaran]

• Fixed stylesheet_link_tag and javascript_include_tag to respect additional options passed by the users when debug is on. [Guillermo Iguaran]

• Fix ActiveRecord#exists? when passsed a nil value

• Fix assert_select_email to work on multipart and non-multipart emails as the method stopped working correctly in Rails 3.x due to changes in the new mail gem.

Active Model

• Remove hard dependency on bcrypt-ruby to avoid make ActiveModel dependent on a binary library. You must add the gem explicitly to your Gemfile if you want use ActiveModel::SecurePassword:

  gem ‘bcrypt-ruby’, ‘~> 3.0.0’

  See GH #2687. [Guillermo Iguaran]

Active Record

• Add deprecation for the preload_associations method. Fixes #3022.

  [Jon Leighton]

• Don’t require a DB connection when loading a model that uses set_primary_key. GH #2807.

  [Jon Leighton]

• Fix using select() with a habtm association, e.g. Person.friends.select(:name). GH #3030 and #2923.

  [Hendy Tanata]

• Fix belongs_to polymorphic with custom primary key on target. GH #3104.

  [Jon Leighton]

• CollectionProxy#replace should change the DB records rather than just mutating the array. Fixes #3020.

  [Jon Leighton]

• LRU cache in mysql and sqlite are now per-process caches.

  • lib/active_record/connection_adapters/mysql_adapter.rb: LRU cache keys are per process id.
  • lib/active_record/connection_adapters/sqlite_adapter.rb: ditto

• Database adapters use a statement pool for limiting the number of open prepared statments on the database. The limit defaults to 1000, but can be adjusted in your database config by changing ‘statement_limit’.

• Fix clash between using ‘preload’, ‘joins’ or ‘eager_load’ in a default scope and including the default scoped model in a nested through association. (GH #2834.) [Jon Leighton]

• Ensure we are not comparing a string with a symbol in HasManyAssociation#inverse_updates_counter_cache?. Fixes GH #2755, where a counter cache could be decremented twice as far as it was supposed to be.

  [Jon Leighton]

• Don’t send any queries to the database when the foreign key of a belongs_to is nil. Fixes GH #2828. [Georg Friedrich]

• Fixed find_in_batches method to not include order from default_scope. See GH #2832 [Arun Agrawal]

• Don’t compute table name for abstract classes. Fixes problem with setting the primary key in an abstract class. See GH #2791. [Akira Matsuda]

• Psych errors with poor yaml formatting are proxied. Fixes GH #2645 and GH #2731

• Use the LIMIT word with the methods #last and #first. Fixes GH #2783 [Damien Mathieu]

Active Resource

• No changes

Active Support

• Fixed performance issue where TimeZone lookups would require tzinfo each time [Tim Lucas]

• ActiveSupport::OrderedHash is now marked as extractable when using Array#extract_options! [Prem Sichanugrist]

Railties

• Add jquery-rails to Gemfile of plugins, test/dummy app needs it. Closes #3091. [Santiago Pastorino]

• rake assets:precompile loads the application but does not initialize it.

  To the app developer, this means configuration add in config/initializers/* will not be executed.

  Plugins developers need to special case their initializers that are meant to be run in the assets group by adding :group => :assets.

You can find an exhaustive list of changes on github. Along with the closed issues marked for v3.1.1. You can also take a look to what’s new between v3.1.1.rc1 and v3.1.1.rc2

You can also see issues we haven’t closed yet.

Thanks to everyone!

Hi everyone,

Rails 3.1.1.rc1 has been released. Please give it a try, it’s our chance to fix regressions you might find and make a beautiful 3.1.1 stable release. If there are no regressions I will be releasing 3.1.1 final next September 16th during GoGaRuCo.

CHANGES

Action Mailer

• No changes

Action Pack

• Allow asset tag helper methods to accept :digest => false option in order to completely avoid the digest generation. Useful for linking assets from static html files or from emails when the user could probably look at an older html email with an older asset. [Santiago Pastorino]

• Don’t mount Sprockets server at config.assets.prefix if config.assets.compile is false. [Mark J. Titorenko]

• Set relative url root in assets when controller isn’t available for Sprockets (eg. Sass files using asset_path). Fixes #2435 [Guillermo Iguaran]

• Fix basic auth credential generation to not make newlines. GH #2882

• Fixed the behavior of asset pipeline when config.assets.digest and config.assets.compile are false and requested asset isn’t precompiled. Before the requested asset were compiled anyway ignoring that the config.assets.compile flag is false. [Guillermo Iguaran]

• CookieJar is now Enumerable. Fixes #2795

• Fixed AssetNotPrecompiled error raised when rake assets:precompile is compiling certain .erb files. See GH #2763 #2765 #2805 [Guillermo Iguaran]

• Manifest is correctly placed in assets path when default assets prefix is changed. Fixes #2776 [Guillermo Iguaran]

• Fixed stylesheet_link_tag and javascript_include_tag to respect additional options passed by the users when debug is on. [Guillermo Iguaran]

• Fix ActiveRecord#exists? when passsed a nil value

• Fix assert_select_email to work on multipart and non-multipart emails as the method stopped working correctly in Rails 3.x due to changes in the new mail gem.

Active Model

• Remove hard dependency on bcrypt-ruby to avoid make ActiveModel dependent on a binary library. You must add the gem explicitly to your Gemfile if you want use ActiveModel::SecurePassword:

  gem ‘bcrypt-ruby’, ‘~> 3.0.0’

  See GH #2687. [Guillermo Iguaran]

Active Record

• LRU cache in mysql and sqlite are now per-process caches.

  • lib/active_record/connection_adapters/mysql_adapter.rb: LRU cache keys are per process id.
  • lib/active_record/connection_adapters/sqlite_adapter.rb: ditto

• Database adapters use a statement pool for limiting the number of open prepared statments on the database. The limit defaults to 1000, but can be adjusted in your database config by changing ‘statement_limit’.

• Fix clash between using ‘preload’, ‘joins’ or ‘eager_load’ in a default scope and including the default scoped model in a nested through association. (GH #2834.) [Jon Leighton]

• Ensure we are not comparing a string with a symbol in HasManyAssociation#inverse_updates_counter_cache?. Fixes GH #2755, where a counter cache could be decremented twice as far as it was supposed to be.

  [Jon Leighton]

• Don’t send any queries to the database when the foreign key of a belongs_to is nil. Fixes GH #2828. [Georg Friedrich]

• Fixed find_in_batches method to not include order from default_scope. See GH #2832 [Arun Agrawal]

• Don’t compute table name for abstract classes. Fixes problem with setting the primary key in an abstract class. See GH #2791. [Akira Matsuda]

• Psych errors with poor yaml formatting are proxied. Fixes GH #2645 and GH #2731

• Use the LIMIT word with the methods #last and #first. Fixes GH #2783 [Damien Mathieu]

Active Resource

• No changes

Active Support

• Fixed performance issue where TimeZone lookups would require tzinfo each time [Tim Lucas]

• ActiveSupport::OrderedHash is now marked as extractable when using Array#extract_options! [Prem Sichanugrist]

Railties

• No changes

You can find an exhaustive list of changes on github. Along with the closed issues marked for v3.1.1.

You can also see issues we haven’t closed yet.

Thanks to everyone!

Hi everybody!

It’s been 3 Months since RailsConf, so I think it’s time we released Rails 3.1.0. So, here it is! I’ve released Rails 3.1.0!

CHANGES

For a much more attractive and easy to read list of changes, please check out the awesome Rails 3.1.0 Release Notes on the Rails Guides site. For a less attractive list of changes, please continue to read!

Here are some highlights of the major changes in Rails 3.1.0:

ActionPack

• ActionPack has been updated to include the new asset pipeline. Please see the rails guides on the asset pipeline.

• Streaming response support has been added. This feature allows you to stream templates to the user before processing has actually finished. See the Rails Guides, or documentation in ActionController::Metal::Streaming for more information. Middleware have been refactored to support this feature.

• RJS has been extracted to a gem.

ActiveModel

• attr_accessible and friends now accepts :as as option to specify a role

• Added ActiveModel::SecurePassword to encapsulate dead-simple password usage with BCrypt encryption and salting.

ActiveRecord

• Prepared statement caches have been integrated. ActiveRecord::Base#create and simple finders will use a prepared statement and cache for more performant inserts and selects.

• Associations have been refactored for greater simplicity and maintainability.

• default_scope can take any object that responds to call.

• PostgreSQL adapter only supports PostgreSQL version 8.2 and higher.

• Migrations use instance methods rather than class methods. Rather than defining a self.up method, you should define an instance method up.

• Migrations are reversible. When a new migration is generated, the migration will contain one method called change. Database changes made in this method will automatically know how to reverse themselves. For more information, see the documentation for ActiveRecord::Migration and ActiveRecord::Migration::CommandRecorder.

• When a model is generated, add_index is added by default for belongs_to or references columns.

ActiveResource

• The default format has been changed to JSON for all requests. If you want to continue to use XML you will need to set self.format = :xml in the class.

ActiveSupport

• ActiveSupport::BufferedLogger set log encoding to BINARY, but still use text mode to output portable newlines.

• Add Object#in? to test if an object is included in another object.

• ActiveSupport::Dependencies::ClassCache class has been introduced for holding references to reloadable classes.

• Added weeks_ago and prev_week to Date/DateTime/Time.

• JSON decoding now uses the multi_json gem which also vendors a json engine called OkJson. The yaml backend has been removed in favor of OkJson as a default engine for 1.8.x, while the built in 1.9.x json implementation will be used by default.

Railties

• The default database schema file is written as UTF-8.

• Rack::Sendfile middleware is used only if x_sendfile_header is present.

• Add alias r for rails runner.

• jQuery is the new default JavaScript library.

• Added config.force_ssl configuration which loads Rack::SSL middleware and force all requests to be under HTTPS protocol

For more info

For a more detailed list of changes, please see each of the CHANGELOG files checked in to the Rails repository on github.

For an even more detailed list of changes, please see the commit list between Rails 3.0.10 and 3.1.0.

The End

I am personally very proud of this release. I want to say thank you to the people testing our release candidates, the people submitting patches and sending in bug reports. I think that Rails 3.1.0 is the best release of Rails to date, and we could not have done it without you.

Please continue to create amazing things with this framework!

SHA-1

• b68f74ced662145a4139409edf3c51db1159ead8 actionmailer-3.1.0.gem
• 136474f270677ae75ad0f9599d26e89cf1d4bc7b actionpack-3.1.0.gem
• e6b68453c08bb0da52ed1d422ba2f87a5e3aa794 activemodel-3.1.0.gem
• dfbae15c0d395304812c22fbf18aa9daadbe20b4 activerecord-3.1.0.gem
• 3f1f547e500d1ffc1f7c3ee4ab9eb1526157a870 activeresource-3.1.0.gem
• f21627c2f429abfa8685d2147fadab6704c13869 activesupport-3.1.0.gem
• 21c6592189fb358a066846754a8f7ce7a238fca6 rails-3.1.0.gem
• 79cfa1eca232de9a45453829287e4438089b7955 railties-3.1.0.gem

<3 <3 <3

The Ruby on Rails API is switching to SDoc starting with 3.1.

SDoc is a RDoc format created by Володя Колесников (@voloko) that has been powering railsapi.com for a long time.

Among other things, SDoc provides a search box with fuzzy match completion, tree browsing, keyboard navigation, and a really nice template.

You can already see the upgrade in the edge API.

We’d like to thank very much Володя for his work updating SDoc for the official API. Thanks man!

Hi everyone,

Rails 3.1.0.rc8 has been released (we’ve an issue with rc7). This is the final release candidate. Please give it a try, it’s our last chance to fix regressions and severe issues. We will be releasing final 3.1.0 next August 30th.

CHANGES

Check the CHANGELOG file of each framework to see what we’ve changed.

You can find an exhaustive list of changes on github. Along with the closed issues marked for v3.1.0.

You can also see issues we haven’t closed.

A comprehensive CHANGELOG will be announced when 3.1.0 final is released.

Thanks!

Hi everyone,

Rails 3.1.0.rc6 has been released. This release contains critical security fixes.

CHANGES

You can find an exhaustive list of changes on github. Along with the closed issues marked for v3.1.0.

You can also see issues we haven’t closed.

A comprehensive CHANGELOG will be announced when 3.1.0 final is released. Barring any show stopping bugs, Rails 3.1.0 will be released on August 30th.

4 Security Fixes

• Filter Skipping bugs
• SQL Injection issues
• Parse error in strip_tags
• UTF-8 escaping vulnerability

Please follow the links to see specific information about each vulnerability, along with individual patches for fixing them.

Please note that these security fixes do not have CVE identifiers. We requested identifiers on August 5th, and have yet to received a response. When we get identifiers, we’ll update the notices with those values.

Also remember to subscribe to the Ruby on Rails Security mailing list.

Why was this release delayed?

You may have noticed this release was originally slated to be released on August 8th. We decided to delay the release in order to obtain CVE identifiers. Unfortunately, identifiers still have not been issued. We felt that getting the security fixes to our users was more important than obtaining CVE values.

That is why our release is late, and contains no CVE identifiers.

THE END

Thanks! <3