Rails BugMash

Some of you may remember the Rails Hackfests that were conducted in 2007 and 2008. Well, with some help from the RailsBridge folks, we’re bringing back something similar :

The First Rails and RailsBridge BugMash

The idea is simple: RailsBridge has a lot of energy. The Rails Lighthouse has a lot of open tickets. By combining the RailsBridge enthusiasm with guidance from some Rails Core team members, we’re going to see what we can do to cut down the number of open tickets, encourage more people to get involved with the Rails source, and have some fun.

Here’s how it will work: the BugMash will run over the weekend of August 8-9. The Rails team will identify open issues that need some help and tag them in Lighthouse. Participants will draw from this pool with four goals:

  1. Confirm that the bug can be reproduced
  2. If it can’t be reproduced, try to figure out what information would make it possible to reproduced
  3. If it can be reproduced, add the missing pieces: better repro instructions, a failing patch, and/or a patch that applies cleanly to the current Rails source
  4. Bring promising tickets to the attention of the Core team

RailsBridge is organizing both face-to-face and online support for BugMash participants. The plan is to do everything possible to make it easy to start contributing to Rails, and to increase even further the substantial pool of developers who have helped make Rails what it is.

For more details, including a checklist of what you can do to get ready to work in the Rails source and details on a scoring system and rewards for the most active participants, keep an eye on the RailsBridge Wiki (a work in progress). For now, though, there are two things for you to do:

  1. Reserve at least a chunk of that weekend to roll up your sleeves and work on the BugMash
  2. Speak up by updating the wiki or posting on the mailing lists ( rubyonrails-core or railsbridge ) if you can contribute prizes, familiarity with the Rails source, or other help to the project.

Rails 2.3.3: Touching, faster JSON, bug fixes

We’ve released Ruby on Rails version 2.3.3. This release fixes a lot of bugs and introduces a handful of new features.

Active Record

  • touch is a convenient method to update a record’s timestamp and nothing else. This is extracted from apps whose models “touch” others when they change, such as a comment updating the parent.replies_changed_at timestamp after save and destroy. Timestamping an entire has_many association makes it easy to build a key for fragment caching that covers changes to the parent object and any of its children. This pattern is wrapped up as belongs_to :parent, :touch => :replies_changed_at. When the child changes, parent.replies_changed_at is touched. :touch => true is defaults to :touch => :updated_at.
  • :primary_key option for belongs_to for broader support of legacy schemas and those using a separate UUID primary key: belongs_to :employee, :primary_key => 'SSN', :foreign_key => 'EMPID' changeset


  • decoding backends for the json and yajl libraries. Both are significantly faster than the default YAML backend. To get started, install the json gem and set ActiveSupport::JSON.backend = 'JSONGem'.
  • leaner user-facing encoding API. Since a JSON libraries implement to_json with varying compatibility, safely overriding it is difficult. Most custom to_json looks like
    def to_json(*encoder_specific_args)
      { :some => "json representation" }.to_json(*encoder_specific_args)
    so we DRYed the user-facing API down to a more natural
    def as_json(options = {})
      { :some => "json representation" }
    without the ugly internal state exposed by overloading to_json as both public-facing and internal builder API. Rails 3 splits the API explicitly, so prepare now by switching from to_json to as_json.

Other Features

  • Add :concat option to asset tag helpers to force concatenation. changeset
  • Restore backwards compatibility for AR::Base#to_xml. changeset
  • Move from BlueCloth to Markdown for the markdown helper. Users using BlueCloth to provide their markdown functionality should upgrade to version 1.0.1 or 2.0.5 in order to restore compatibility.

Notable Bug Fixes

  • Fix errors caused by class-reloading with streaming responses in development mode.
  • Several fixes to the gem bundling, unpacking and installing system.
  • Make text_area_tag escape contents by default.
  • Make filter_parameters work correctly with array parameters.
  • Thread-safety fixes for postgresql string quoting.
  • Performance fixes for large response bodies.

Remaining Ruby & Rails Conferences in 09

The Ruby and Rails community is still growing strong and the sheer number of conferences coming up is proof of that. Below I’ve put together a list of all the conferences/events I could find before 2010 so you can hopefully make it out to at least one. ;-)

If you do attend one of these conferences, do me a favor and thank the organizer for taking the time to produce the event. Most of them spend a great deal of unpaid time making the event happen and most of them aren’t making a profit. Their passion and hard work helps keep our community strong.

Jul 17 – Jul 20 Rails Camp in Bryant Pond, Maine.

Cost: $120

Jul 17 – Jul 19 Ruby Kaigi 2009 in Tokyo, Japan.

Cost: Sold Out

Jul 24 – Jul 25 Rails Underground in London, UK

Cost: £240

Jul 31 – Aug 1 Rails Outreach Workshop for Women in San Francisco, CA

Cost: FREE

Jul 30 – Aug 1 RubyRx in Philadelphia, PA

Cost: $550

Aug 7 – Aug 9 eRubyCon in Columbus, OH

Cost: $299.00

Sep 10 – Sep 11 Ruby Rx in Washington DC

Cost: $550

Aug 7 – Aug 8 Oxente Rails in Natal, Brazil

Cost: R$ 200,00

Aug 27 – Aug 29 Lone Star Ruby Conf in Austin, TX

Cost: $250

Aug 28 – Aug 29 Ruby Hoedown in Nashville, TN

Cost: FREE

Aug 29 RS on Rails in Porto Alegre, Brazil Cost

Cost: R$50

Sep 1 – Sep 2 Rails Konferenz in Frankfurt, Germany

Cost: €215

Sep 7 – Sep 8 RubyWorld Conference in Matsue, Japan

Cost: ¥5000

Sep 12 Windy City Rails in Chicago, Il

Cost: $99

Sep 26 – Sep 27 Central eUropean RUby camp in Wien, Austria

Cost: Free

Oct 2 – Oct 3 Ruby Foo in London, UK

Cost: £ 220

Oct 5 – Oct 6 Aloha on Rails in Waikiki, HI

Cost: $199

Oct 13 – Oct 14 Rails Summit Latin America in São Paulo, Brazil

Cost: R$ 400

Oct 16 – Oct 19 Rails Camp UK in Margate, UK

Cost: £50

Oct 16 ArrrrCamp in Ghent, Belgium

Cost: Free

Nov 7 – Nov 8 Rupy 2009 in Poznań, Poland

Cost: ? (registration not open yet)

Nov 13- Nov 14 Conferencia Rails in Madrid, Spain

Cost: ?

Nov 19 – Nov 21 Rubyconf in San Francisco, CA

Cost: ? (registration not open yet)

Nov 20 – Nov 23 Rails Camp Australia in Melbourne, Australia

Cost: $180

Let me know if I forgot any events, I’ll be happy to add them to this list.

Community Highlights: Rails Prescriptions

Doing Test Driven Development (TDD) effectively is not something that comes easy, even when you’re working with a well structured Rails application. Up until March of this year there really was no guide I could recommend for developers who wanted to learn TDD with Rails.

What happened in March? Noel Rappin released his Rails Test Prescriptions PDF guide. You can start out by reading his FREE 84 page Getting Started With Rails Testing PDF Guide, and then maybe upgrade to his $9 dollar 286 page guide which covers advanced topics like creating Test helpers, stubbing, mocking, and even how to use factories, shoulda, rspec, and cucumber.

Noel is a great teacher providing examples that are really easy to follow and code downloads if you want to try writing tests on your own. So if you’re not doing testing yet or you want to learn some best practices, definitely check out Rails Prescriptions.

It’s also worth mentioning that Noel has posted some pretty interesting blog posts on the Rails Prescriptions Blog going over a few testing topics and even some testing interviews with developers like Chad Fowler, James Golick, Ryan Bates, and Mike Gunderloy. Lastly I can’t talk about Noel without mentioning his contributions to the Pathfinder blog, I’m a big fan of his blog posts.

Minor Changes to the Rails Security Policy

After reviewing the feedback on the two recent security announcements we’ve made a few minor changes to the Ruby on Rails security policy.

The first change we’ve made is to include more information on what to do if you don’t receive a response from the security team. In general reports to the security address should receive a response within 24 hours, however the sheer volume of spam to the address can, and has, lead to messages being caught in spam filters. In the event you don’t receive a response there are now two direct-emails to the people currently looking after security reports. That page will be kept up to date as responsibilities are reassigned.

The second change is to more clearly outline the announcement policy for rails vulnerabilities. In short, we notify vendor-sec ahead of the public notification to allow time for people distributing rails to prepare packages for their distributions. Then when the time has come for public notification an email is sent to the security announcement list. Finally the announcement is posted to this blog.

The security announcement list is extremely low volume and you’re strongly suggested to subscribe to it. This is the place which receives the first public announcements of all vulnerabilities in Rails, and also tends to receive additional notifications about vulnerabilities in ruby itself. We’ve been using this list for several years but judging by confusion and misinformed comments following the announcement of CVE-2009-1904, not enough people were aware of its existence.

If you have any comments on the security policy, please send them via email to security@rubyonrails.org.

Community Highlights: Ruby Heroes

This week I’m happy to tell you about a new set of articles which will be appearing here on the Rails blog called “Community Highlights”. This new series will feature people/projects/sites from the Rails community that may deserve a little extra recognition.

This week, we’re going to start with a few people who received awards on stage at Railsconf 2009, this years Ruby Heroes.

Brian Helmkamp

Brian has been a contributing member of the Ruby community for 4 years now, but is most well known for his testing library Webrat. He’s a contributer to Rails, RSpec, Rubinius, and is a co-author on the recent RSpec Book. More recently he’s been helping out the Rails core team with Rack:Test, and Rack:Debug.

His Blog: http://www.brynary.com/
Twitter: brynary

Aman Gupta

Aman has taken over the maintenance, new features, and the recent releases of EventMachine, which is an invaluable tool for writing fast ruby applications. He’s also the author behind amqp & xmpp4em gems which are deployed far and wide.

Github: http://github.com/tmm1
Twitter: tmm1

Luis Lavena

Luis has done a lot for the Ruby community in Argentina, but he’s most well known in our community for the work he’s done for windows users maintaining the One-Click Ruby Installer. Recently he’s put up a Plegie to help get the windows installer a new home.

His Blog: http://blog.mmediasys.com/
Twitter: luislavena

Pat Allan

Pat is the mastermind behind Thinking Sphinx which has become a standard when it comes to full-text search in Rails. He is also the author of the excellent Thinking Sphinx PDF book and one of the founders of Railscamp, where I hear he makes some killer pancakes.

His Blog: http://freelancing-gods.com/
Twitter: Pat

Dan Kubb

Dan been tirelessly working on one of the hardest Ruby projects around, DataMapper. He became the official maintainer after Sam Smoot and since then has completely rewritten the test suite to give DataMapper better coverage, has come up with a viable path to completion, and is currently working on making sure DataMapper works great with Rails 3.

Github: http://github.com/dkubb
Twitter: dkubb

John Nunemaker

Although John Nunemaker has released several widely used open source libraries, like HTTParty and HappyMapper, his main contribution in my opinion comes from his blog Rails Tips. Over the past year he’s written an incredible number educational blog posts on many Ruby and Rails topics.

RailsTips: http://railstips.org/
Twitter: jnunemaker

Those are your six Ruby Hero’s for 2009. If you’re interested you can also watch a video of the award ceremony which talks more about the methodology about how they were chosen and see 5 of these guys receive their awards on stage at Railsconf 2009.

DoS Vulnerability in Ruby

A Denial of Service vulnerability has been found and fixed in ruby. The vulnerability is due to the BigDecimal method mishandling certain large input values and can cause the interpreter to crash. This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application. This vulnerability has been assigned the CVE name CVE-2009-1904.

For upgrade instructions and information on affected ruby versions please see the ruby security team’s announcement.

All users are advised to upgrade their ruby installations immediately to avoid this problem. In the event that you are unable to upgrade your ruby installation, or are using an out-of-maintenance ruby version, there is a workaround available on github. You can either install it as a gem, or simply copy the file bigdecimal-segfault-fix.rb into config/initializers of your rails application.

NOTE: this workaround breaks valid formats supported by BigDecimal, users should not rely on this fix for an extended period of time but should instead immediately begin planning a migration to a supported ruby release.

The upcoming Rails 2.3.3 release will include some minor mitigating changes to reduce some potential attack vectors for this vulnerability. However these mitigations will not close every potential method of attack and users should still upgrade their ruby installation as soon as possible.

Thanks to Jose Fernández for reporting the vulnerability to the rails security team, and to the ruby security team for confirming the nature of the bug and handling the release process.

Security Problem with authenticate_with_http_digest

A security problem has been reported with the digest authentication code in Ruby on Rails. This vulnerability can allow users to bypass your password protection. This vulnerability has been publicly disclosed on several websites, users are advised to take the mitigating steps described below immediately.

The issue comes from the handling of the block passed to authenticate_or_request_with_http_digest. This block must return the user’s password in the clear, or a sha1 hash of the user’s password. Unfortunately the documentation was unclear on this and the examples cited would return nil if the user was not found. The correct behaviour if the user doesn’t exist is to return false.

If the return value was nil, rails proceeded to verify this value against the provided password. Because of this an attacker can provide an invalid username and no password and authentication will succeed.

Fixed Versions

We have altered the behaviour of the relevant code to make nil an authentication failure. This fix has been pushed to 2-3-stable and will be present in 2.3.3 due to be released in the next few days. All versions of edge rails after commit 1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0 contain the fix.

Steps to Protect your application.

Users can protect themselves without upgrading by simply ensuring that their authentication blocks never return nil. To take an example from the documentation:

authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] end

Should instead be something like:

authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] || false end

Disclosure Notes

Due to communication difficulties and a mis-understanding between the reporter and the security team. This vulnerability has been publicly disclosed on several websites, users are advised to update their applications immediately. Steps are being taken to ensure that the security email is more reliable in the future. We regret the nature of this disclosure and will endeavor to ensure it doesn’t happen again in the future.

Community feedback for the future of Rails

A few months ago, we announced the creation of a “forum” to discuss the future of Rails and what the community is interested in. Since then, many important suggestions/topics were addressed, many features were completed or started. My goal in this post is to give you a quick overview on the status of the uservoice forum.

rails uservoice

##Suggestions mentioned and completed:

  • Nested Model forms This is something that was actually started before we put the forum together and this feature is now available since Rails 2.3.x

  • Rails magazine Olimpiu Metiu already released two issues of his Rails Magazine. The PDF versions are available for free but you can also purchase the print version.

  • Better Wiki A lot of people have put efforts in building the new wiki and I’m sure a lot more content will be provided. We have also made the wiki available for translation.

##Accepted/started suggestions:

  • Improved performance This is something that already started in the Rails3 branch, go check the work done by Josh, Yehuda, Carl and others to make Rails perform even better.

  • Public and plugin API This is something that’s particularly important for 3rd party developers and therefore plugin users. There is still a lot of work to be done with 3rd party developers and “advanced users” before we can get a fixed API. However, once we will have this API, Rails updates and plugin compatibility should be much smoother.

  • Slices/Engine Rails 2.3 came with the ability to have engines in your plugins and if you were at RailsConf, you might have attended Yehuda and Carl’s talk on mountable apps. Thanks to some work done on the router and Action Controller, you should be able to mount a Rails app inside another one sometime in the future.

  • Easier to read code The refactoring has already started and the internal code should be cleaner and easier to read. Remember that Rails is 5 years old, such a task isn’t easy.

  • Better support for non relational databases Thanks to Action ORM and some more refactoring, non RDBMS and other data stores will be better supported.

  • Unbind Test::Unit and Prototype Agnosticism is a big theme in Rails 3. Even though, Test::Unit and prototype will be the default, Rails won’t make any assumptions about users using one framework or the other. Watch David’s keynote at RailsConf for more information.

  • Make Action Mailer consistent with regular controllers This task was started as part of the work done on Abstract Controller.

Don’t forget that you can still make your suggestions and/or pick one that is already listed and start working on it!

New code contributor index

Xavier Noria (code) and José Espinal (design) have created an awesome code contributor index for Rails core submissions. It’s being updated automatically every night and tracks the number of commits and which particular commits to individuals in the community. You can even track the commits over time, as in who’s been most active this month.

The site now lives at contributors.rubyonrails.org. Thanks to Xavier and José for putting in the work on this!