Rails 2.2 RC1: i18n, thread safety, docs, etag/last-modified, JRuby/1.9 compatibility

Rails 2.2 is almost ready for its final release, but before we christen the gems, we’d like to have everyone test out a release candidate. Rails 2.2 is a major upgrade that includes a wealth of new features and fixes.

Chief inclusions are an internationalization framework, thread safety (including a connection pool for Active Record), easier access to HTTP caching with etags and last modified, compatibility with Ruby 1.9 and JRuby, and a wealth of new documentation.

Mike Gunderloy has compiled an exhaustive list and walk-through of many of the interesting new features for the Rails 2.2 release notes.

To help test the Rails 2.2 release candidate, please install with:
gem install rails -s http://gems.rubyonrails.org -v 2.2.0

Hopefully there will not be too much folly in the RC and we can quickly move to a final release. But it requires your help to get there.

Note that this release is called 2.2.0, not 2.1.99 as our previous naming scheme would have dictated. So the final release of Rails 2.2 will actually be 2.2.1 (if we only need one RC).

Rails 2.1.2: Security, other fixes

Rails 2.1.2 includes the same two security fixes that we pushed out for 2.0.x recently. We’re talking about a backport of the offset/limit sanitization fix for Active Record and a fix against header-injection when using user-contributed strings in redirect_to (see Response Splitting for more information).

In addition, Rails 2.1.2 fixes the warning that users of RubyGems 1.3.0 were having with script/generate as well as a range of other minor fixes. Enjoy!

As always, you can install with:
gem install rails --version 2.1.2

Paris on Rails: December 1st

Paris on Rails is having it’s third annual conference on December 1st. There’s a wealth of great speakers lined up and yours truly will be doing a video iChat session as well. If you register before November 9th, the entrance fee is just 80 euros. If you can, go!

Response Splitting Risk

The Ruby HTTP libraries used by Rails do not perform any santization of the values of their HTTP Headers. This can lead to Response Splitting and Header Injection attacks in certain circumstances where user-provided values are written into response headers. These malformed values can be used to set custom cookies, and forge fake responses to users if your application uses any of the user submitted parameters to construct HTTP headers without sanitizing.

A common scenario where this can be exploited is where your application takes a URL from the query string, and redirects the user to it. To mitigate this common scenario new versions of Rails will be released which sanitize the values passed to redirect_to. However you will still need to take care when writing other values to response headers.

The new versions which will contain the fixes are:

  • 2.0.5
  • 2.1.2
  • 2.2.0

These releases are not available immediately, so in the event that it’s infeasible or inconvenient for your application to sanitize the user-supplied values it passes to redirect_to, patches are available at the following locations.

Users of Edge Rails prior to ba80ff74a962 should update to the latest revisions, cherry pick the change at ba80ff74a962 or or apply this patch

Thanks to Luka Treiber and Mitja Kolsek of ACROS Security for notifying us of this issue and the Ruby Security team for their advice.

RailsConf '09: Accepting proposals for Vegas!

RailsConf 2009 is going to Las Vegas, baby. It’s happening from May 4-7 at the Las Vegas Hilton. Last year was an astounding success with probably the best session line-up of any of the many RailsConfs we’ve had yet. We’re hell bent on repeating that for 2009, but we need your help.

The call for proposals has opened and will stay open until February 17th, 2009. That’s a really long call for proposals and we’re doing it to get even more timely information available for the conference. If Rails 3.0 magically appears in January, we want to make sure there are sessions covering it.

The registration for the conference will open in January of 2009.

2 Weeks in Rails (October 10, 2008)

Welcome to yet another edition of this Week in Rails where we summarize some of the most interesting stories of the past two weeks. If you’d rather listen to these stories with additional detail check out the Rails Envy Podcast episode #49 and #50

Michael Koziarski recently removed country_select from edge rails. Apparently Rails was using the ISO 3166 Long Names standard list of countries, but some people don’t think this list is politically correct. For instance it lists “Taiwan” as “Taiwan, province of China”. Rather then change this one and have to deal with other debatable country names, country_select has been moved to a plugin, so you can fork your own friendlier list of countries.

Rails built in REST support is great, but if you’ve really spent time making your API usable, you’ve probably found that you had to make tweaks to what gets rendered to the page when a user wants xml or json. Chris Heald wrote up one solution on his blog this week, which shows you how to use xml builder to produce xml which gets translated for your xml, json, and maybe even yaml output formats.

If you ever find yourself needing to add role-based authorization to your Rails app, you should check out a blog post this week by Ernie Miller. He gives a unique implementation worth taking a look at.

Hosting, Performance, and Tuning

If you use Slicehost as your ISP for websites, Mark Reynolds wrote up a script that will install and fully configure your slice to get up and running with Rails, Mysql, and Thin.

We all should probably be load testing our applications more then we do, but this isn’t something that’s done easily. Luckily our favorite Ruby Hero, Ilya Grigorik recently wrote up a tutorial which serves as a great guide to accurately benchmarking our Rails apps.

If you’re looking for additional tools to help fine tune your Ruby code, Dan Mayer wrote up a great overview of just about everything available.


Alexander Lang recents wrote up a blog post entitled A CouchDB primer for an ActiveRecord mindset. He gives a simplified introduction to Couch db, goes over a few Ruby libraries that interface with it, and lastly introduces his new Ruby library called CouchPotato.

A few weeks back Rama McIntosh published a really useful script on his blog if you ever need to convert your application from one database to another using ActiveRecord.

Library News

Is your rails app pre-Rails 2.1 and you’re envious of those readable named_scope methods? Ken Collins has back-ported named_scope to Rails 1.2.6 and 2.0.4 so you can take advantage of using this method.

If you’re using RSpec to test your Rails app, you may be interested to know that the RSpec Story Runner (where you do your integration tests) is going to be replaced by a Cucumber. Although it’s typically not a good thing to be replaced by a Cucumber, this particular one is a library written by Aslak Hellesoy which should bring some increased organization and additional benefits to your integration tests. If you want to get a head start on consuming the cucumber, then check out Aslak’s blog post.

Talking about Testing, Shoulda 2.0 was recently released witch includes a few improvements and bugfixes. If you’d like an overview of everything Shoulda has to offer, Kyle Banker wrote up a great shoulda cheat sheet you should take a look at.

Noel Rappin, the same guy who brought you Rails iui, recently released TankEngine, a new rails plugin for targeting the iPhone and Mobile Safari. It uses a jQuery based javascript layer and it’s much more flexible and has better helpers then the original Rails iui.

Marc-Andre Cournoyer recently released Thin 1.0, the ultra fast Web Server. There’s quite a few people that have moved to thin from mongrel in their production environments.

Tog 0.2.1 was recently released, which is a collection of plugins that together form a social networking app. What’s great about Tog is that you can pick out just one plugin, like messaging, blogs, or CMS and bring that part into your existing Rails app.

Workling 0.3 was released last week, which serves as a great way to deal with background tasks in your Rails app, no matter what messaging queue service you’re using.

The Weather Channel provides a great API to pull down the current weather and forecasts around the world. Jared Pace recently created a Gem called WeatherMan which allows you to take full advantage of this data.

Jan De Poorter has recently revived the RailsXLS plugin which uses a java bridge and jakarata to let you use ruby to create excel spreadsheets.

Event News

The Rails Rumble is taking place October 18th and 19th. It’s a 48 hour contest where you get one weekend to design, develop, and deploy the best web app you can, using Rails.

If you didn’t make it out to the WindyCityRails conference, Josh Symonds wrote up a nice overview.

If you live in the Great Lakes Area, you should check out the Great Lakes Ruby Bash, taking place October 11th in Ann Arbor, Michigan.

Scotland on Rails is being held in Edinburgh March 26 through 28th. Tickets aren’t available yet but the call for proposals are open if you’d like to speak.

Image Credit: Blue Sky on Rails by ecstaticist, Analog Solutions 606 Mod by Formication, RailsConf Europe 2006 by Paul Watson, Rainbow by One Good Bumblebee.

This Week in Rails (September 24, 2008)

Welcome to the sixth addition of This Week in Rails, where we’ll take a look of the past two weeks of innovation in the Rails community. If you’d rather listen to this content on your ipod with additional Ruby news, check out the Rails Envy Podcast #47 and #48.

The Rails Guides Hackfest is in full swing, improving the Rails documentation by leaps and bounds. Rails Routing from the Outside In by Mike Gunderloy is a great read if you’re ever confused by Rails Routing. If you want to help with the Guide hackfest, there are several guides up that you can help review.

If you ever need to build a website which allows users to upload videos and then needs to encode them, definitely check out Panda, an open source video encoding application which uses EC2, S3, and SimpleDB. The application itself is written in Merb, but it’s designed to run separately on ec2 and can easily integrate with your rails app on the front end.

If you’d like to ensure your Rails application is well written, Matt More wrote up a Rails Code Quality Checklist which serves as a great guide to Rails best practices. Also, if you need help discovering where your code might need a little re-factoring check out Roodi a new gem by Marty Andres that gives you instant feedback about your Ruby code by examining a few metrics including cyclomatic complexity, method length, bad method names, and blank blocks or loops. Lastly, if you’ve been following the “skinny controller, fat model” best practice, you may have found yourself with really fat models (not so good). Paul Barry suggests one way to deal with this using concerned_with.

If you’re about to start a new Rails application then you might consider using Bort, a Rails starter application from Jim Neath. Bort contains RESTful Auth, Will Paginate, Exception Notifier, Asset Packager, a Capistrano Recipe, and everything is tested by RSpec. If you’d rather start your system with email login instead of username, Matt Hall put together a fork of bort for this.

Implementing a page with multiple file uploads in Rails is no easy task. Luckily, Brian Getting wrote up a tutorial which makes it look easy.

Clemens Kofler wrote up a Guide to Memoization which walks through all the details of this convention and looks at the new “memoize” helper in Edge Rails ActiveSupport. If you don’t know what this word means, please do take the time to read his tutorial.

If you’ve ever developed a plugin, you may have just decided to manually run your tests every time you change your code. Last week Ken Collins recently put out a new library called Autotest Railsplugin which makes it dirt simple to run autotest on plugins you’re developing.

Lastly, if you’re looking for other Ruby/Rails podcasts, check out the Rails Podcast which recently featured Jim Weirich at erubycon, Rubyology which recently interviewed Avi Bryant, the Learning Rails podcast which recently covered how to deploy your rails app, Railscasts which recently covered starling and workling, and the Rails Brazil Podcast if you speak Portuguese.

That’s all for now. If you create or discover any notable tools or blog posts this week, feel free to send me an email (Gregg@RailsEnvy).

Image Credit: Still on the right track by janusz l