This Week in Edge Rails

Rails, as you probably know, is under active development. So, for those of you who don’t have time to read every commit to the source, we’ve decided to revive this section of the weblog. This time around, I’m covering 3 weeks of commits: the time since Rails 2.2 RC1 (otherwise known as Rails 2.2.0) was released. Though there aren’t any major new features being added as Rails drives towards the 2.2 release, that doesn’t mean the source has been completely quiet: there have been about 75 commits in that three-week period. Here’s a look at some of those changes.

In the run-up to 2.2, we’re seeing a batch of little bug fixes, as people try to ensure quality in the release. These include:

  • Squashing a binary data corruption bug that surfaced in the PostgreSQL adapter. commit
  • The regex behind redirect_to can now accept a wider variety of URL schemes, making it possible to redirect to some destinations that were previously inaccessible. commit
  • A regression in date_select and datetime_select that could raise a Null Pointer Exception under some circumstances has been fixed. commit
  • The sanitize helper has been fixed to avoid double escaping already properly escaped entities. commit
  • FormTagHelper has been stopped from generating illegal HTML if the name contains square brackets. commit
  • A memory leak was squashed in Active Record scoped methods. commit

Some of the major features for 2.2 have been getting fine-tuned as well. There’s been work to clean up some loose ends in the thread safety department, and changes to make the I18n backend reload its translations in development mode. The included Prototype bits were bumped to the latest release. The code for configuring, loading, and vendoring gems has had some attention, and the code for maintaining database connection pools has come in for some fine-tuning as well.

Just because we’re in feature freeze doesn’t mean that a few new features can’t sneak in:

  • The current_page method is a bit more reliable now in that it ignores options you don’t explicitly supply (making it more friendly to URLs that use the query string for pagination and the like). commit
  • The default logging has been cleaned up to be less chatty: you’ll see fewer duplicate log messages as Rails goes about its business. commit
  • The render method now takes a :js option to allow you to directly render inline JavaScript without using RJS. commit
  • If you’ve got a current (Ruby 1.8.7 or greater) version of Ruby, Action Mailer turns on STARTTLS if the server supports it; this makes Action Mailer compatible with GMail without the need for plugins. commit

One final note: I’m deliberately not trying to cover every single commit here; just those ones that struck me as most interesting. But if I left out something that you think is highly significant, feel free to add a pointer in the comments!

Rails Guides Wants You

If you haven’t looked at the state of Rails documentation lately, it’s time to look again. The new Ruby on Rails Guides page includes 14 separate guides for Rails developers, with topics ranging from “Getting Started” to routing, security, testing, and debugging. That’s over 70,000 words of help content for Rails users that didn’t exist two months ago when we launched the Rails Guides project.

But we’re not done yet! We’re starting phase 2 of the Guides project, and planning a fresh batch of content to add to what’s already there. Our goal is to have a single page where you can find all of the information you need to be an effective Rails developer. Remember, though: this is open source. That means we want your help too!

Here’s what you can do to get involved:

  • Read about the process of and rewards for contributing on the Hackfest page.
  • Check the list of available tickets in our Lighthouse project, and sign up to write a guide.
  • Submit corrections, suggestion, bugs, or patches for the existing guides. You’ll find a link to the relevant Lighthouse ticket at the bottom of each guide.
  • Let us know what other guides you think should be added – whether you want to write them, or just hope that someone else will. Just leave a note in the comments here and we’ll get your idea into the process.

You’ll usually find some of the documentation team hanging around in #docrails on IRC. Come join us and help the community!

3 Weeks in Rails (October 29, 2008)

It’s been 3 weeks (I know I’ve been slacking). However, it’s time to write out another summary of information that any Rails developer might want to know about. Detailed audio versions of these notes can be found on the Rails Envy Podcast #51, #52, and #53.

You may already be aware that Rails 2.2 RC1 was released last Friday. For a glimpse at the new features you can read through the Release Notes. However, if you’re looking for something more comprehensive check out the Envycast on Ruby on Rails 2.2^ or the What’s New PDF by Carlos Brando.

Rails 2.0.5 and Rails 2.1.2 were also pushed in the last few weeks, mostly just plugging up a few small security concerns. If you’re on 2.x, you should probably take the time to upgrade.

If you’re taking advantage of the localization features of Rails 2.2, there are two libraries you should probably be aware of. First, Diego Carrion recently created a fork of restful_authentication where he added full support for i18n. Secondly, Karel Minarik recently released a plugin for doing localized_country_select so you can display countries the appropriate language.

If you need your Rails application to receive emails, one way to do it is to use gmail IMAP. John Nunemaker wrote up a nice walkthrough showing all the scripts need to parse email out of gmail.

Hosting, Performance, and Tuning

With Rails 2.2 thread safety, you might assume that brings a performance boost for everyone. However, this is not always the case and Pratik Naik explains why.

Ilya Grigorik wrote a blog post about Scaling Rails with MYSQL Plus where he uses the Non-Blocking MySQL driver from Neverblock to get some increased performance out of ActiveRecord which is quite impressive.

If you need to implement full text search in your Rails application, and you are already thinking Sphinx, you may want to check out the Thinking Sphinx PDF by Pat Allan over on Peepcode.

Library News

If you’re a fan of resource_controller (skinny REST controllers) and Shoulda you shoulda definitely check out the starter app by James Golick called Blank.

The next time you need to build a “Software As A Service” website (like basecamp), check out Service Merchant. This gem sits on top of Active Merchant and gives you everything you need to do Subscription Billing.

Do you ever forget your Rails routes? There’s always the “rake routes” command, but that’s not very user friendly. You might want to check out Vasco. Vasco is a Route explorer for Rails which provides a nice web interface to browse through and test all your Rails routes.

If you ever need to build a Rails application which is accessible on multiple domains or multiple paths (like or or then take a look at the Rails Proxy Plugin by Sean Huber. This plugin allows you to dynamically respond to proxied requests by detecting the incoming path and properly setting the session domain, default host, and relative url root.

If you need an easy way to test your plugin which extends ActiveRecord, check out acts_as_fu, which aside from it’s unfortunate name, is pretty slick.

If you came over from PHP, you’re probably familiar with phpMyAdmin. One of the Rails Rumble teams made a Ruby version of phpMyAdmin that’s definitely worth checking out if you’re missing a quick web interface to your db.

Event News

The Rails Rumble is over and you only have 3 more days to vote (voting closes on Midnight November 1st). Cast your vote! It’s good practice for next Tuesday (least in the US).

If you’re over in London, Ruby Manor is taking place November 22nd. Looks like it’s going to be a fun unconference type of event.

Lastly, Rubyconf is next week here in Orlando, Florida where it’s been kinda chilly lately. Definitely pack something warm just in case, and see you next week!

Image Credit: Blue Sky on Rails by ecstaticist, Analog Solutions 606 Mod by Formication, RailsConf Europe 2006 by Paul Watson, Rainbow by One Good Bumblebee
^ In the interest of full disclosure, I do produce Envycasts, and profit from the sale of the screencasts.

Rails 2.2 RC1: i18n, thread safety, docs, etag/last-modified, JRuby/1.9 compatibility

Rails 2.2 is almost ready for its final release, but before we christen the gems, we’d like to have everyone test out a release candidate. Rails 2.2 is a major upgrade that includes a wealth of new features and fixes.

Chief inclusions are an internationalization framework, thread safety (including a connection pool for Active Record), easier access to HTTP caching with etags and last modified, compatibility with Ruby 1.9 and JRuby, and a wealth of new documentation.

Mike Gunderloy has compiled an exhaustive list and walk-through of many of the interesting new features for the Rails 2.2 release notes.

To help test the Rails 2.2 release candidate, please install with:
gem install rails -s -v 2.2.0

Hopefully there will not be too much folly in the RC and we can quickly move to a final release. But it requires your help to get there.

Note that this release is called 2.2.0, not 2.1.99 as our previous naming scheme would have dictated. So the final release of Rails 2.2 will actually be 2.2.1 (if we only need one RC).

Rails 2.1.2: Security, other fixes

Rails 2.1.2 includes the same two security fixes that we pushed out for 2.0.x recently. We’re talking about a backport of the offset/limit sanitization fix for Active Record and a fix against header-injection when using user-contributed strings in redirect_to (see Response Splitting for more information).

In addition, Rails 2.1.2 fixes the warning that users of RubyGems 1.3.0 were having with script/generate as well as a range of other minor fixes. Enjoy!

As always, you can install with:
gem install rails --version 2.1.2

Paris on Rails: December 1st

Paris on Rails is having it’s third annual conference on December 1st. There’s a wealth of great speakers lined up and yours truly will be doing a video iChat session as well. If you register before November 9th, the entrance fee is just 80 euros. If you can, go!

Response Splitting Risk

The Ruby HTTP libraries used by Rails do not perform any santization of the values of their HTTP Headers. This can lead to Response Splitting and Header Injection attacks in certain circumstances where user-provided values are written into response headers. These malformed values can be used to set custom cookies, and forge fake responses to users if your application uses any of the user submitted parameters to construct HTTP headers without sanitizing.

A common scenario where this can be exploited is where your application takes a URL from the query string, and redirects the user to it. To mitigate this common scenario new versions of Rails will be released which sanitize the values passed to redirect_to. However you will still need to take care when writing other values to response headers.

The new versions which will contain the fixes are:

  • 2.0.5
  • 2.1.2
  • 2.2.0

These releases are not available immediately, so in the event that it’s infeasible or inconvenient for your application to sanitize the user-supplied values it passes to redirect_to, patches are available at the following locations.

Users of Edge Rails prior to ba80ff74a962 should update to the latest revisions, cherry pick the change at ba80ff74a962 or or apply this patch

Thanks to Luka Treiber and Mitja Kolsek of ACROS Security for notifying us of this issue and the Ruby Security team for their advice.