Response Splitting Risk

The Ruby HTTP libraries used by Rails do not perform any santization of the values of their HTTP Headers. This can lead to Response Splitting and Header Injection attacks in certain circumstances where user-provided values are written into response headers. These malformed values can be used to set custom cookies, and forge fake responses to users if your application uses any of the user submitted parameters to construct HTTP headers without sanitizing.

A common scenario where this can be exploited is where your application takes a URL from the query string, and redirects the user to it. To mitigate this common scenario new versions of Rails will be released which sanitize the values passed to redirect_to. However you will still need to take care when writing other values to response headers.

The new versions which will contain the fixes are:

  • 2.0.5
  • 2.1.2
  • 2.2.0

These releases are not available immediately, so in the event that it’s infeasible or inconvenient for your application to sanitize the user-supplied values it passes to redirect_to, patches are available at the following locations.

Users of Edge Rails prior to ba80ff74a962 should update to the latest revisions, cherry pick the change at ba80ff74a962 or or apply this patch

Thanks to Luka Treiber and Mitja Kolsek of ACROS Security for notifying us of this issue and the Ruby Security team for their advice.

RailsConf '09: Accepting proposals for Vegas!

RailsConf 2009 is going to Las Vegas, baby. It’s happening from May 4-7 at the Las Vegas Hilton. Last year was an astounding success with probably the best session line-up of any of the many RailsConfs we’ve had yet. We’re hell bent on repeating that for 2009, but we need your help.

The call for proposals has opened and will stay open until February 17th, 2009. That’s a really long call for proposals and we’re doing it to get even more timely information available for the conference. If Rails 3.0 magically appears in January, we want to make sure there are sessions covering it.

The registration for the conference will open in January of 2009.

2 Weeks in Rails (October 10, 2008)

Welcome to yet another edition of this Week in Rails where we summarize some of the most interesting stories of the past two weeks. If you’d rather listen to these stories with additional detail check out the Rails Envy Podcast episode #49 and #50

Michael Koziarski recently removed country_select from edge rails. Apparently Rails was using the ISO 3166 Long Names standard list of countries, but some people don’t think this list is politically correct. For instance it lists “Taiwan” as “Taiwan, province of China”. Rather then change this one and have to deal with other debatable country names, country_select has been moved to a plugin, so you can fork your own friendlier list of countries.

Rails built in REST support is great, but if you’ve really spent time making your API usable, you’ve probably found that you had to make tweaks to what gets rendered to the page when a user wants xml or json. Chris Heald wrote up one solution on his blog this week, which shows you how to use xml builder to produce xml which gets translated for your xml, json, and maybe even yaml output formats.

If you ever find yourself needing to add role-based authorization to your Rails app, you should check out a blog post this week by Ernie Miller. He gives a unique implementation worth taking a look at.

Hosting, Performance, and Tuning

If you use Slicehost as your ISP for websites, Mark Reynolds wrote up a script that will install and fully configure your slice to get up and running with Rails, Mysql, and Thin.

We all should probably be load testing our applications more then we do, but this isn’t something that’s done easily. Luckily our favorite Ruby Hero, Ilya Grigorik recently wrote up a tutorial which serves as a great guide to accurately benchmarking our Rails apps.

If you’re looking for additional tools to help fine tune your Ruby code, Dan Mayer wrote up a great overview of just about everything available.


Alexander Lang recents wrote up a blog post entitled A CouchDB primer for an ActiveRecord mindset. He gives a simplified introduction to Couch db, goes over a few Ruby libraries that interface with it, and lastly introduces his new Ruby library called CouchPotato.

A few weeks back Rama McIntosh published a really useful script on his blog if you ever need to convert your application from one database to another using ActiveRecord.

Library News

Is your rails app pre-Rails 2.1 and you’re envious of those readable named_scope methods? Ken Collins has back-ported named_scope to Rails 1.2.6 and 2.0.4 so you can take advantage of using this method.

If you’re using RSpec to test your Rails app, you may be interested to know that the RSpec Story Runner (where you do your integration tests) is going to be replaced by a Cucumber. Although it’s typically not a good thing to be replaced by a Cucumber, this particular one is a library written by Aslak Hellesoy which should bring some increased organization and additional benefits to your integration tests. If you want to get a head start on consuming the cucumber, then check out Aslak’s blog post.

Talking about Testing, Shoulda 2.0 was recently released witch includes a few improvements and bugfixes. If you’d like an overview of everything Shoulda has to offer, Kyle Banker wrote up a great shoulda cheat sheet you should take a look at.

Noel Rappin, the same guy who brought you Rails iui, recently released TankEngine, a new rails plugin for targeting the iPhone and Mobile Safari. It uses a jQuery based javascript layer and it’s much more flexible and has better helpers then the original Rails iui.

Marc-Andre Cournoyer recently released Thin 1.0, the ultra fast Web Server. There’s quite a few people that have moved to thin from mongrel in their production environments.

Tog 0.2.1 was recently released, which is a collection of plugins that together form a social networking app. What’s great about Tog is that you can pick out just one plugin, like messaging, blogs, or CMS and bring that part into your existing Rails app.

Workling 0.3 was released last week, which serves as a great way to deal with background tasks in your Rails app, no matter what messaging queue service you’re using.

The Weather Channel provides a great API to pull down the current weather and forecasts around the world. Jared Pace recently created a Gem called WeatherMan which allows you to take full advantage of this data.

Jan De Poorter has recently revived the RailsXLS plugin which uses a java bridge and jakarata to let you use ruby to create excel spreadsheets.

Event News

The Rails Rumble is taking place October 18th and 19th. It’s a 48 hour contest where you get one weekend to design, develop, and deploy the best web app you can, using Rails.

If you didn’t make it out to the WindyCityRails conference, Josh Symonds wrote up a nice overview.

If you live in the Great Lakes Area, you should check out the Great Lakes Ruby Bash, taking place October 11th in Ann Arbor, Michigan.

Scotland on Rails is being held in Edinburgh March 26 through 28th. Tickets aren’t available yet but the call for proposals are open if you’d like to speak.

Image Credit: Blue Sky on Rails by ecstaticist, Analog Solutions 606 Mod by Formication, RailsConf Europe 2006 by Paul Watson, Rainbow by One Good Bumblebee.

This Week in Rails (September 24, 2008)

Welcome to the sixth addition of This Week in Rails, where we’ll take a look of the past two weeks of innovation in the Rails community. If you’d rather listen to this content on your ipod with additional Ruby news, check out the Rails Envy Podcast #47 and #48.

The Rails Guides Hackfest is in full swing, improving the Rails documentation by leaps and bounds. Rails Routing from the Outside In by Mike Gunderloy is a great read if you’re ever confused by Rails Routing. If you want to help with the Guide hackfest, there are several guides up that you can help review.

If you ever need to build a website which allows users to upload videos and then needs to encode them, definitely check out Panda, an open source video encoding application which uses EC2, S3, and SimpleDB. The application itself is written in Merb, but it’s designed to run separately on ec2 and can easily integrate with your rails app on the front end.

If you’d like to ensure your Rails application is well written, Matt More wrote up a Rails Code Quality Checklist which serves as a great guide to Rails best practices. Also, if you need help discovering where your code might need a little re-factoring check out Roodi a new gem by Marty Andres that gives you instant feedback about your Ruby code by examining a few metrics including cyclomatic complexity, method length, bad method names, and blank blocks or loops. Lastly, if you’ve been following the “skinny controller, fat model” best practice, you may have found yourself with really fat models (not so good). Paul Barry suggests one way to deal with this using concerned_with.

If you’re about to start a new Rails application then you might consider using Bort, a Rails starter application from Jim Neath. Bort contains RESTful Auth, Will Paginate, Exception Notifier, Asset Packager, a Capistrano Recipe, and everything is tested by RSpec. If you’d rather start your system with email login instead of username, Matt Hall put together a fork of bort for this.

Implementing a page with multiple file uploads in Rails is no easy task. Luckily, Brian Getting wrote up a tutorial which makes it look easy.

Clemens Kofler wrote up a Guide to Memoization which walks through all the details of this convention and looks at the new “memoize” helper in Edge Rails ActiveSupport. If you don’t know what this word means, please do take the time to read his tutorial.

If you’ve ever developed a plugin, you may have just decided to manually run your tests every time you change your code. Last week Ken Collins recently put out a new library called Autotest Railsplugin which makes it dirt simple to run autotest on plugins you’re developing.

Lastly, if you’re looking for other Ruby/Rails podcasts, check out the Rails Podcast which recently featured Jim Weirich at erubycon, Rubyology which recently interviewed Avi Bryant, the Learning Rails podcast which recently covered how to deploy your rails app, Railscasts which recently covered starling and workling, and the Rails Brazil Podcast if you speak Portuguese.

That’s all for now. If you create or discover any notable tools or blog posts this week, feel free to send me an email (Gregg@RailsEnvy).

Image Credit: Still on the right track by janusz l

This Week in Rails (September 10, 2008)

Welcome to the fifth edition of This Week in Rails, a weekly report with highlights from the Rails community. Antonio Cangiano (the original author) has been pretty busy, so I figured I’d step in this week.

As you probably already know, Rails 2.0.4 and Rails 2.1.1 were released this week. Both are mostly bug fixes, but checkout the changelog if you want all the details.

If your Rails app has alot of heavy duty SQL Queries you may want to take a look at a plugin by Fernando Blat called Query memcached. This plugin overwrites Rails default query cache functionality, storing all database queries in memcached for use by sequential requests.

Have you ever implemented an advanced search page for a Rails application? If yes, you may have ended up with bloated controller code. One solution to the problem is Searchgasm by Binary Logic which helps you do object based searching, and keep your search code clean and simple.

Ryan Daigle told us about some great new features in Rails Edge, including Connection Pooling, Shallow Routes, and Mailer Layouts. We should be getting a Rails 2.2 beta any day now, so stay tuned for that.

If you have any Java friends who use Apache Derby who are looking to try out JRuby, Michael Galpin wrote up an introduction to Rails using JRuby and Derby.

Last week Mark Imbriaco from 37 Signals put together a great blog entry and screencast which shows how they use HAProxy in their server setup. If you’re not familiar with the benefits of using HAProxy over the apache round robin load balancer, you need to watch his screencast.

Perhaps you’ve started using jQuery instead of Prototype for Rails. You might have used a plugin for this (ex. jQuery on Rails), but if you started from scratch you might have run into that problem with sending authenticity tokens with your AJAX requests. Lawrence Pit posted the jQuery code you’ll need to take care of this.

Neverblock is a library that allows you to use Ruby Fibers to write non-blocking concurrent code. This project recently released a non-blocking PostgreSQL adapter, a non-blocking MySQL adapter, and most recently got their Fiber library running on Ruby 1.8 with Rails with some amazing benchmarks! It’s still a very young project, but it’s one more step towards a safely multi-threaded Rails stack.

Lastly, I’ve got some events to tell you about. Ruby DCamp is taking place October 11th-12th in Arlington, VA, the Rails Summit Latin America is taking place October 15th and 16 in Sao Paulo, Brazil, and the South Carolina Ruby Conference is on October 18th in Columbia, SC.

Thanks for reading! If you would have rather listened to this information (with slightly more detail), you should check out the Rails Envy Podcast #46 which came out today. It’s no mistake that it’s covering the same material (I help with the podcast).

Guides Hackfest

I’m pleased to finally announce the Rails Guides Hackfests. And we got really exciting prizes too! There is a list of guides available at Lighthouse You can select one of those, update the ticket and start writing the guide straight away.

For each completed guide, the author will receive all of the following prizes :

You can find more details at

Special thanks to GitHub, Newrelic & Caboose documentation project for making the hackfest a lot more exciting!

Rails 2.0.4: Maintenance release

Thanks to Git it’s been a lot easier to maintain older branches of the code base, so we’ve taken the opportunity to backport a bunch of bug fixes to the 2.0 branch and here’s the release for that.

The only major issue is that we’ve fixed the REXML DoS vulnerability with a monkey patch that ships in the box. So if you’re on 2.0 and haven’t dealt with the issue already, you can upgrade to 2.0.4 and get it fixed.

You can install with: gem install rails --version 2.0.4

See all the changes

UPDATE: The actual 2.0.4 gem didn’t get published yesterday due to a bug in the release script. It’s been fixed and 2.0.4 is actually available on the main gem repository. Sorry about that!