[ANN] Rails 3.0.9.rc3 has been released!

I’ve pushed an rc3. Yes, we skipped one. I screwed up the rc2, so I yanked it, and we’re going straight to rc3. Good thing it’s just a release candidate, right? ;-)

As usual, please test this against your application and report any regressions to the rails core mailing list. I would like to hear your feedback, good or bad.

I will release the final in 72hours if there are no reported regressions. If there are reported regressions, I will release another RC and the clock will start over.

CHANGES

Here are some of the major changes since 3.0.9.rc1:

  • escape_javascript safebuffer fixes
  • json_escape safebuffer fixes
  • RDoc / ruby-debug conflict fixes.

For an exaustive list, please check out the commits on github.

<3 <3 <3

[ANN] Rails 3.1.0.rc3 has been released!

Hey folks. Sorry for the multiple releases in such a short time span, but the security fixes released yesterday seem to have broken people’s applications. Even though this is a release candidate, I am not happy about breaking stuff.

I’ve pushed a 3.1.0.rc3. Please test it against your application against this release candidate and report any regressions to the rails core mailing list. I would like to hear your feedback, good or bad. Especially if it’s good. <3 <3

In two weeks, if there are no show stopping issues I will release the final version. If we do find regressions, I will publish another release candidate and we’ll put another two weeks on the clock.

However, I will not wait two weeks between release candidates. I want to get the final done as quickly as possible, so I’ll try to release RCs as quickly as possible.

CHANGES

Here are some of the major changes to the RC branch:

  • mailto SafeBuffer fixes
  • escape_javascript SafeBuffer fixes
  • Multiple sources in sprocket helpers

For an exaustive list, please check out the commits on github.

Thanks for your patience everyone!

<3 <3 <3

[ANN] Rails 3.0.9.rc1 has been released!

Hey folks. Sorry for the multiple releases in such a short time span, but the security fixes released yesterday seem to have broken people’s applications. I am not happy about that.

I’ve pushed a 3.0.9.rc1. Please test it against your application against this release candidate and report any regressions to the rails core mailing list. I would like to hear your feedback, good or bad.

I will release the final in 72hours if there are no reported regressions. If there are reported regressions, I will release another RC and the clock will start over.

CHANGES

Here are some of the major changes:

  • MemCacheStore works with Ruby 1.9 and -Ku
  • mailto SafeBuffer fixes
  • escape_javascript SafeBuffer fixes

For an exaustive list, please check out the commits on github.

Thanks for your patience everyone!

<3 <3 <3

[ANN] Rails 3.1.0.rc2 has been released!

Security Issues!

This release contains fixes for possible XSS problems in your rails application. It is unlikely that your application is vulnerable, but you should take precautions by updating your application.

For more information about the XSS issue that was fixed in this release, please read this blog post.

WELCOME!

Hi everyone! I’ve released Rails version 3.1.0.rc2!

Please download our latest release candidate and give it a whirl!

Two weeks from today, we’ll either release another rc, or release 3.1.0 final (depending on the reported issues).

CHANGES

  • Fixing Rake 0.9.x integration
  • Fixing rubygems deprecation warnings
  • Sprockets was updated

MORE IMPORTANT CHANGES

  • Much whitespace was removed
  • Many typos were fixed
  • Queens English was changed to American English
  • Many grammar errors removed

For an exaustive list of changes, see the log on github.

[ANN] Rails 3.0.8 has been released!

Security Issues!

This release contains fixes for possible XSS problems in your rails application. It is unlikely that your application is vulnerable, but you should take precautions by updating your application.

For more information about the XSS issue that was fixed in this release, please read this blog post.

WELCOME!

Hi everyone! I’ve released Rails version 3.0.8!

I know I told you I would release Rails 3.0.8 on June 2nd. I may put many hearts in my emails, but I’m quite serious about sticking to announced deadlines. The reason this release was delayed is due to the above security issue. I needed to coordinate three different versions to be released simultaniously, and that delayed this release.

Sorry about that! Barring “perfect storm” issues like this, I will keep you up to date on release dates as I know them. :-)

CHANGES

The big changes in this release are:

  • Fixing Rake 0.9.x integration
  • Fixing rubygems deprecation warnings
  • Refactoring YAML support to work well with Psych and Syck
  • Joins on polymorphic has_one associations are fixed

For an exaustive log of changes, please see the commit list on github, or the CHANGELOG for each project.

[ANN] Rails 2.3.12 has been released!

Hi everyone! I’ve released rails version 2.3.12.

Security issues!

There are security issues in the rails_xss plugin, and we’ve fixed them with this release. Please make sure to upgrade your rails_xss plugin.

Please see here for more details about the security issue.

CHANGES

The main changes in this release are fixing compatibility issues with Rubygems 1.8.5.

You can view the complete list of changes here.

SUPPORT!

I want to briefly mention provided support for the 2.3.x series. This branch is in security-maintenance mode. We will release it when there are problems like “the sky is falling”, or major security issues. It’s time for us to focus on pushing Rails forward!

Potential XSS Vulnerability in Ruby on Rails Applications

The XSS prevention support in recent versions Ruby on Rails allows some string operations which, when combined with user supplied data, may leave an ‘unsafe string’ incorrectly considered safe. It is unlikely that applications call these methods, however we are shipping new versions today which prevent their use to ensure they’re not called unintentionally.

How the XSS Prevention Works

When strings are rendered to the client, if the string is not marked as “html safe”, the string will be automatically escaped and marked as “html safe”. Some helper methods automatically return strings already marked as safe.

For example:

<%= link_to('hello world', @user) %>

The link_to method will return a string marked as html safe. Since link_to returns an “html safe” string (also known as a safe buffer), the text will be output directly, meaning the user sees a link tag rather than escaped HTML.

The Problem

Safe buffers are allowed to be mutated in place via methods like sub!. These methods can add unsafe strings to a safe buffer, and the safe buffer will continue to be marked safe.

An example problem would be something like this:

<%= link_to('hello world', @user).sub!(/hello/, params[:xss])  %>

In the above example, an untrusted string (params[:xss]) is added to the safe buffer returned by link_to, and the untrusted content is successfully sent to the client without being escaped. To prevent this from happening sub! and other similar methods will now raise an exception when they are called on a safe buffer.

In addition to the in-place versions, some of the versions of these methods which return a copy of the string will incorrectly mark strings as safe. For example:

<%= link_to('hello world', @user).sub(/hello/, params[:xss]) %>

The new versions will now ensure that all strings returned by these methods on safe buffers are marked unsafe.

Affected versions

This problem affects all versions of rails: 3.1.0.rc1, 3.0.7, and 2.3.11.

The Solution

Any methods that mutate the safe buffer without escaping input will now raise an exception.

If you need to modify a safe buffer, cast it to a Ruby string first by calling the to_str method:

<%= link_to('hello world', @user).to_str.sub!(/hello/, params[:xss]) %>

Upgrading

This problem is fixed in Rails 3.1.0.rc2, 3.0.8, and 2.3.12 (with rails_xss). If for some reason you cannot upgrade your Rails installation, please apply these patches:

Thanks

Thanks to Bruno Michel of LinuxFr.org and Brett Valantine who each independently reported the issue to us.

News from the Documentation Front

New Configuration Guide

Rails 3.1 will come with a new comprehensive guide about configuring Rails applications written by Ryan Bigg (@ryanbigg). The current draft is already available in the edge guides.

Rails Documentation Team

The documentation team, which was created some three years ago and consisted of Pratik Naik (@lifo), Mike Gunderloy (@MikeG1), and me, played a key role at bootstrapping docrails. Together with lots of API contributors and guides authors. Kudos to Pratik and Mike, their effort was outstanding and gave a definitive push to this aspect of the project.

After all these years, documentation maintenance happens regularly in master. Because of that, we are no longer going to have a separate documentation team. The same way we do not have a separate testing team. Tests and docs are an integral part of Ruby on Rails and complete patches have or should have proper tests and docs coverage.

Rails Guides Reviewers

Reviewing guides needs a special profile and dedication that has its own standards and pace. There’s going to be a team of guides reviewers that will take care of new material. I am very glad to announce that Vijay Dev (@vijay_dev) is going to be the first member of this team. Vijay has done an awesome work in docrails in the last months. Welcome aboard :).

Next Steps

The Rails documentation has improved a lot in the last years, it has more content, and it has better editorial quality. But there’s still a lot to do. Here are some ideas to work on:

  • A new documentation generator that evaluates the source tree and introspects to generate the API, mixed with a parser to extract documentation snippets.

  • Methods in the API have a link that toggles the visibility of their source code. Wouldn’t it be awesome if there was a toggler that disclosed their tests?

  • Test coverage for the guides.

  • What about a gorgeus template design?

If you’d like to hack on any of them please go ahead!

[ANN] Rails 3.0.8.rc3 (third time is the charm!)

Hey everybody! I’ve pushed Rails 3.0.8.rc3.

Hopefully this release candidate takes care of all the outstanding issues remaining. To see what has changed between 3.0.8.rc2 and 3.0.8.rc3, check out this link on github. If no regressions are found, I will release the final version 72 hours from now (Thursday, June 2nd around 1pm). Please let us know if this release candidate causes any regressions from the 3.0.7 version.

I’m still getting over my cold, so I promise that next release I will return to my normal level of excitement! ;-)

[ANN] Rails 3.0.8.rc2

Hey folks! I’ve pushed 3.0.8.rc2.

I want to give a big thanks to Philip Arndt and Robert Pankowecki for reporting regressions in 3.0.8.rc1! We’ve fixed the regressions, so I pushed an rc2.

To see the diffs for this rc, check out the commit list on github.

Since we’ve released a new release candidate, I’ll target the final release for June 1. If you find regressions between v3.0.7 and v3.0.8.rc2, please let me know and we’ll do another rc!

Thanks everyone!

$ curl 'http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/383777' | ruby -n -e'print $_.gsub(/rc1/, "rc2")'