Security update: Rails 1.0, 1.1.3 not affected

Good news: Rails 1.0 and prior is not affected by the latest security breach we’ve experienced. Neither is Rails 1.1.3. We’re currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are. We’ll give you more updates as soon as we have the information. Our first priority has been to get a fix out, now we’ll get to the very bottom of this.

Believe you me, we take this extremely seriously. The entire core team is working on this investigation. We’ve currently made the trade-off to keep the details secret to protect people still in the process of upgrading. Once ample time for upgrading has been given and we have investigated this matter to its depth, we’ll release a complete report detailing all our findings.

Thank you for your patience and understanding. We fully understand that nothing can quite make your heart pump, as knowing there’s something wrong, but not being entirely sure what to do about it. It’s OK to vent that frustration in the comments to this post.

Rails 1.1.5: Mandatory security patch (and more)

We’re still hard at work on Rails 1.2, which features all the new dandy REST stuff and more, but a serious security concern has come to our attention that needed to be addressed sooner than the release of 1.2 would allow. So here’s Rails 1.1.5!

This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn’t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.

The issue is in fact of such a criticality that we’re not going to dig into the specifics. No need to arm would-be assalients.

So upgrade today, not tomorrow. We’ve made sure that Rails 1.1.5 is fully drop-in compatible with 1.1.4. It only includes a handful of bug fixes and no new features.

For the third time: This is not like “sure, I should be flossing my teeth”. This is “yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hour”. It’s not a suggestion, it’s a prescription. So get to it!

As always, the trick is to do “gem install rails” and then either changing config/environment.rb, if you’re bound to gems, or do “rake rails:freeze:gems” if you’re freezing gems in vendor.

UPDATE: This problem affects 0.13, 0.14, 1.0, and 1.1.×. So here’s a happy opportunity to upgrade if you still haven’t.

UPDATE 2: We’ve fixed the zlib buffer problems for people on Windows. Redownload the gem and everything should be dandy.

UPDATE 3: Regarding security through obscurity, we’ll release the full details of this issue once everyone has had a fair chance to upgrade their system. Source transparency is of little comfort if you just had your system compromised before you got a chance to apply the patch.

UPDATE 4: This problem does not affect Rails 1.0 or earlier. The only versions affected are 1.1.0, 1.1.1, 1.1.2, and 1.1.4. See security update for details.

UPDATE 5: We’ve released Rails 1.1.6 with additional fixes to the problem and created backported patches for all affected versions.

P.S.: If you run a major Rails site and for some reason are completely unable to upgrade to 1.1.5, get in touch with the core team and we’ll try to work with you on a solution.

Ruby on Rails will ship with OS X 10.5 (Leopard)

It’s finally official: Ruby on Rails will ship with the next version of OS X (see “Internet and Web”). Both server and client (on the developer DVD). We’ve been working with Apple for quite a while to make this happen and its great to finally be able to share it with the world. The love for Ruby has definitely spread inside Apple and we’ve been thrilled to see the level of interest they’ve taken to get OS X to be a premiere development and deployment platform for Rails.

The developer seed that was distributed today at WWDC contains Ruby 1.8.4 and Rails 1.1.2, but we fully expect to have Rails 1.2.x along with Mongrel, SQLite bindings, and lots of other Ruby goodies on the final gold master when it goes out in spring.

It’s been no secret that Apple is held in very high regard by the Rails community. Every single Rails Core contributer is running on Apple and the vast majority of Rails developers are too. To see Apple acknowledge this and return the favor is very rewarding.

Thanks so much to Ernest Prabhakar, Jordan Hubbard, and Dave Morin for making this happen.

Caboose Rails Documentation Drive

One of the biggest complaints with Rails is the lack of good documentation. Unfortunately, Rails is still very young, and the talented developers are either extremely busy with their jobs, or being paid to write books. The #caboose folks have started a Documentation Drive to raise $5000 to hire a professional to enhance the documentation. If you use Rails professionally, you should really consider chipping in for the benefit of all Rails developers.

Update: Thanks to some very generous contributers like FiveRuns, Fingertips, Reforge, and cdbaby, the fund is now over $13,000.

Miguel de Icaza longs for the Rails of GUI

Open source hacker extraordinaire Miguel de Icaza muses about the state of GUI APIs in light of Avalon:

I just had a realization today.

Microsoft’s Avalon is the J2EE of GUI APIs.

Its God’s way of punishing us for replacing the ten commandments with the Design Pattern fad.

We will have to wait a couple of years for the “Rails” of GUI toolkits to come into existance. In the meantime programmers will pay for their sins.

Avalon marks the end of the American Dream.

Now that’s not a happy programmer speaking.

Why you need to come to RailsConf EU

Lars Pind is voicing his concerns over the lack of enthusiasm around RailsConf Europe. I can sympathize with the fears, but allow me to iterate why you need to be at RailsConf Europe.

Rails is not an American thing! It was created by a Dane, after all. The core team musters people from Canada, Germany, and Austria. The community itself involves people from literally all over the world. RailsConf Europe should be asserting that fact and allowing us to demonstrate that there’s a viable ecosystem outside of the US.

Okay, that was the moral call to action. Now what you get out of it. RailsConf Europe will feature a host of exclusive presentations that’s not just a rehash of the US conference. We have Kathy Sierra, the star of recently concluded OSCON, gracing us with her presence. We got Jim Weirich, one of the Ruby communities best speakers, the creator of Rake and Builder, coming even though he wasn’t at the US version.

Unlike the US version, we actually have Rails core members speaking besides yours truly. The honorable Jamis Buck, the king of Capistrano, wasn’t even at RailsConf US, but will be here. Thomas Fuchs, the czar of, wasn’t at RailsConf US either, but will be here. All that on top of Marcel Molina, Dave Thomas, and myself delivering fresh speeches.

So in many ways, I see the European line-up being even stronger than the US one. That’s not to say its all a rosy dance. It’s considerably more expensive to do a conference in London than in the suburbs of Chicago, which means somewhat of a sticker shock. There’s currently less employment opportunities for Rails in Europe than in the US, so more people have to pay out of their own pocket.

But if you have the means, if you’re working professionally with Rails, you really should come. Let’s reverse the trend of US conferences bringing over an anemic, rehashed show. And let’s assert the fact that Rails is not an American invention or property. It’s a global play and a strong Europe should balance that fact.

See you at RailsConf Europe? I sure hope so! Remember, it’s September 14-15 in London. Register today.

P.S.: Americans are more than welcome too. Considering all the great exclusive speakers line up and the opportunity for a more intimate experience, I think you have a strong argument for a trip to London this September.

Russian Rails community growing fast

Yaroslav Markin wrote to inform me that the Russian Rails community is experiencing rapid growth and that they’ve now completed a translation of the entire site living at If you speak Russian and want to join the community, they already have hundreds of members in their Google Groups forum.

Do you know of any other local Rails groups making headway? Please post in the comments.

System management gone Rails

It’s interesting to see that we have not one but two upcoming system management/surveillance solutions coming off Rails. There’s Spiceworks and FiveRuns. Now get out of beta and Get Real!

Simply Restful in Rails Edge

David committed the simply_restful plugin to the rails this afternoon, ensuring its inclusion with the next release of Rails. Beware, there are a few API changes from the plugin, and a nice new feature:

map.resource :post
map.resource :comment, :path_prefix => '/posts/:post_id'
map.resource :trackback, :path_prefix => '/posts/:post_id'

map.resources :posts do |posts|
  posts.resources :comments, :trackbacks

Nesting the resource blocks will automatically set the path prefix from the parent’s path.

There may be some bugs introduced in the move from plugin to core, so try upgrading (and remember to remove the plugin!) and let us know if you find anything. I have the current version running on a couple apps now, so things should be working.

Update: There is one more restriction I forgot to mention. The _method hack only works on POST methods now. It is no longer valid to link to a URL like /articles/1?method=delete. Let’s not open that can of wormsvengeance.php again.

Tip #1: Use my routing navigator plugin to get a handle on what routes are being created.

Tip #2: Use the new *_path routes if you want your routes to have just the path (‘/articles/1’) instead of the whole url with protocal and host.