Paris on Rails is having it’s third annual conference on December 1st. There’s a wealth of great speakers lined up and yours truly will be doing a video iChat session as well. If you register before November 9th, the entrance fee is just 80 euros. If you can, go!
Time for another small security fix for Rails 2.0.×. The 2.0.5 release contains just two changes: A backport of the offset/limit sanitization fix for Active Record and a fix against header-injection when using user-contributed strings in redirect_to (see Response Splitting for more information).
As always, you can install with:
gem install rails --version 2.0.5
The Ruby HTTP libraries used by Rails do not perform any santization of the values of their HTTP Headers. This can lead to Response Splitting and Header Injection attacks in certain circumstances where user-provided values are written into response headers. These malformed values can be used to set custom cookies, and forge fake responses to users if your application uses any of the user submitted parameters to construct HTTP headers without sanitizing.
A common scenario where this can be exploited is where your application takes a URL from the query string, and redirects the user to it. To mitigate this common scenario new versions of Rails will be released which sanitize the values passed to redirect_to. However you will still need to take care when writing other values to response headers.
The new versions which will contain the fixes are:
These releases are not available immediately, so in the event that it’s infeasible or inconvenient for your application to sanitize the user-supplied values it passes to redirect_to, patches are available at the following locations.
Thanks to Luka Treiber and Mitja Kolsek of ACROS Security for notifying us of this issue and the Ruby Security team for their advice.
RailsConf 2009 is going to Las Vegas, baby. It’s happening from May 4-7 at the Las Vegas Hilton. Last year was an astounding success with probably the best session line-up of any of the many RailsConfs we’ve had yet. We’re hell bent on repeating that for 2009, but we need your help.
The call for proposals has opened and will stay open until February 17th, 2009. That’s a really long call for proposals and we’re doing it to get even more timely information available for the conference. If Rails 3.0 magically appears in January, we want to make sure there are sessions covering it.
The registration for the conference will open in January of 2009.
Welcome to yet another edition of this Week in Rails where we summarize some of the most interesting stories of the past two weeks. If you’d rather listen to these stories with additional detail check out the Rails Envy Podcast episode #49 and #50
Michael Koziarski recently removed country_select from edge rails. Apparently Rails was using the ISO 3166 Long Names standard list of countries, but some people don’t think this list is politically correct. For instance it lists “Taiwan” as “Taiwan, province of China”. Rather then change this one and have to deal with other debatable country names, country_select has been moved to a plugin, so you can fork your own friendlier list of countries.
Rails built in REST support is great, but if you’ve really spent time making your API usable, you’ve probably found that you had to make tweaks to what gets rendered to the page when a user wants xml or json. Chris Heald wrote up one solution on his blog this week, which shows you how to use xml builder to produce xml which gets translated for your xml, json, and maybe even yaml output formats.
If you ever find yourself needing to add role-based authorization to your Rails app, you should check out a blog post this week by Ernie Miller. He gives a unique implementation worth taking a look at.
Hosting, Performance, and Tuning
If you use Slicehost as your ISP for websites, Mark Reynolds wrote up a script that will install and fully configure your slice to get up and running with Rails, Mysql, and Thin.
We all should probably be load testing our applications more then we do, but this isn’t something that’s done easily. Luckily our favorite Ruby Hero, Ilya Grigorik recently wrote up a tutorial which serves as a great guide to accurately benchmarking our Rails apps.
If you’re looking for additional tools to help fine tune your Ruby code, Dan Mayer wrote up a great overview of just about everything available.
Alexander Lang recents wrote up a blog post entitled A CouchDB primer for an ActiveRecord mindset. He gives a simplified introduction to Couch db, goes over a few Ruby libraries that interface with it, and lastly introduces his new Ruby library called CouchPotato.
A few weeks back Rama McIntosh published a really useful script on his blog if you ever need to convert your application from one database to another using ActiveRecord.
Is your rails app pre-Rails 2.1 and you’re envious of those readable named_scope methods? Ken Collins has back-ported named_scope to Rails 1.2.6 and 2.0.4 so you can take advantage of using this method.
If you’re using RSpec to test your Rails app, you may be interested to know that the RSpec Story Runner (where you do your integration tests) is going to be replaced by a Cucumber. Although it’s typically not a good thing to be replaced by a Cucumber, this particular one is a library written by Aslak Hellesoy which should bring some increased organization and additional benefits to your integration tests. If you want to get a head start on consuming the cucumber, then check out Aslak’s blog post.
Talking about Testing, Shoulda 2.0 was recently released witch includes a few improvements and bugfixes. If you’d like an overview of everything Shoulda has to offer, Kyle Banker wrote up a great shoulda cheat sheet you should take a look at.
Tog 0.2.1 was recently released, which is a collection of plugins that together form a social networking app. What’s great about Tog is that you can pick out just one plugin, like messaging, blogs, or CMS and bring that part into your existing Rails app.
Workling 0.3 was released last week, which serves as a great way to deal with background tasks in your Rails app, no matter what messaging queue service you’re using.
The Weather Channel provides a great API to pull down the current weather and forecasts around the world. Jared Pace recently created a Gem called WeatherMan which allows you to take full advantage of this data.
Jan De Poorter has recently revived the RailsXLS plugin which uses a java bridge and jakarata to let you use ruby to create excel spreadsheets.
The Rails Rumble is taking place October 18th and 19th. It’s a 48 hour contest where you get one weekend to design, develop, and deploy the best web app you can, using Rails.
If you didn’t make it out to the WindyCityRails conference, Josh Symonds wrote up a nice overview.
If you live in the Great Lakes Area, you should check out the Great Lakes Ruby Bash, taking place October 11th in Ann Arbor, Michigan.
Scotland on Rails is being held in Edinburgh March 26 through 28th. Tickets aren’t available yet but the call for proposals are open if you’d like to speak.
Welcome to the sixth addition of This Week in Rails, where we’ll take a look of the past two weeks of innovation in the Rails community. If you’d rather listen to this content on your ipod with additional Ruby news, check out the Rails Envy Podcast #47 and #48.
The Rails Guides Hackfest is in full swing, improving the Rails documentation by leaps and bounds. Rails Routing from the Outside In by Mike Gunderloy is a great read if you’re ever confused by Rails Routing. If you want to help with the Guide hackfest, there are several guides up that you can help review.
If you ever need to build a website which allows users to upload videos and then needs to encode them, definitely check out Panda, an open source video encoding application which uses EC2, S3, and SimpleDB. The application itself is written in Merb, but it’s designed to run separately on ec2 and can easily integrate with your rails app on the front end.
If you’d like to ensure your Rails application is well written, Matt More wrote up a Rails Code Quality Checklist which serves as a great guide to Rails best practices. Also, if you need help discovering where your code might need a little re-factoring check out Roodi a new gem by Marty Andres that gives you instant feedback about your Ruby code by examining a few metrics including cyclomatic complexity, method length, bad method names, and blank blocks or loops. Lastly, if you’ve been following the “skinny controller, fat model” best practice, you may have found yourself with really fat models (not so good). Paul Barry suggests one way to deal with this using concerned_with.
If you’re about to start a new Rails application then you might consider using Bort, a Rails starter application from Jim Neath. Bort contains RESTful Auth, Will Paginate, Exception Notifier, Asset Packager, a Capistrano Recipe, and everything is tested by RSpec. If you’d rather start your system with email login instead of username, Matt Hall put together a fork of bort for this.
Implementing a page with multiple file uploads in Rails is no easy task. Luckily, Brian Getting wrote up a tutorial which makes it look easy.
Clemens Kofler wrote up a Guide to Memoization which walks through all the details of this convention and looks at the new “memoize” helper in Edge Rails ActiveSupport. If you don’t know what this word means, please do take the time to read his tutorial.
If you’ve ever developed a plugin, you may have just decided to manually run your tests every time you change your code. Last week Ken Collins recently put out a new library called Autotest Railsplugin which makes it dirt simple to run autotest on plugins you’re developing.
Lastly, if you’re looking for other Ruby/Rails podcasts, check out the Rails Podcast which recently featured Jim Weirich at erubycon, Rubyology which recently interviewed Avi Bryant, the Learning Rails podcast which recently covered how to deploy your rails app, Railscasts which recently covered starling and workling, and the Rails Brazil Podcast if you speak Portuguese.
That’s all for now. If you create or discover any notable tools or blog posts this week, feel free to send me an email (Gregg@RailsEnvy).
Welcome to the fifth edition of This Week in Rails, a weekly report with highlights from the Rails community. Antonio Cangiano (the original author) has been pretty busy, so I figured I’d step in this week.
If your Rails app has alot of heavy duty SQL Queries you may want to take a look at a plugin by Fernando Blat called Query memcached. This plugin overwrites Rails default query cache functionality, storing all database queries in memcached for use by sequential requests.
Have you ever implemented an advanced search page for a Rails application? If yes, you may have ended up with bloated controller code. One solution to the problem is Searchgasm by Binary Logic which helps you do object based searching, and keep your search code clean and simple.
Ryan Daigle told us about some great new features in Rails Edge, including Connection Pooling, Shallow Routes, and Mailer Layouts. We should be getting a Rails 2.2 beta any day now, so stay tuned for that.
Last week Mark Imbriaco from 37 Signals put together a great blog entry and screencast which shows how they use HAProxy in their server setup. If you’re not familiar with the benefits of using HAProxy over the apache round robin load balancer, you need to watch his screencast.
Perhaps you’ve started using jQuery instead of Prototype for Rails. You might have used a plugin for this (ex. jQuery on Rails), but if you started from scratch you might have run into that problem with sending authenticity tokens with your AJAX requests. Lawrence Pit posted the jQuery code you’ll need to take care of this.
Neverblock is a library that allows you to use Ruby Fibers to write non-blocking concurrent code. This project recently released a non-blocking PostgreSQL adapter, a non-blocking MySQL adapter, and most recently got their Fiber library running on Ruby 1.8 with Rails with some amazing benchmarks! It’s still a very young project, but it’s one more step towards a safely multi-threaded Rails stack.
Lastly, I’ve got some events to tell you about. Ruby DCamp is taking place October 11th-12th in Arlington, VA, the Rails Summit Latin America is taking place October 15th and 16 in Sao Paulo, Brazil, and the South Carolina Ruby Conference is on October 18th in Columbia, SC.
Thanks for reading! If you would have rather listened to this information (with slightly more detail), you should check out the Rails Envy Podcast #46 which came out today. It’s no mistake that it’s covering the same material (I help with the podcast).
Sven Fuchs gave a great presentation at RailsConf Europe about the history and details of the forth-coming I18n support in Rails 2.2. Well worth reading if you’re in need of internationalization services for your current or future app.
To install, just do:
gem install rails --version 2.1.1.
Next upcoming release will be Rails 2.2 beta which is quite close.
I’m pleased to finally announce the Rails Guides Hackfests. And we got really exciting prizes too! There is a list of guides available at Lighthouse You can select one of those, update the ticket and start writing the guide straight away.
For each completed guide, the author will receive all of the following prizes :
- $200 from Caboose Rails Documentation Project
- 1 year of GitHub Micro account
- 1 year of RPM Basic (Production performance management) for up to 10 hosts
You can find more details at http://hackfest.rubyonrails.org/guide
Special thanks to GitHub, Newrelic & Caboose documentation project for making the hackfest a lot more exciting!